It was last week claimed that Apple was one of a number of tech giants which was failing to fully comply with Europe’s privacy law, GDPR. Other companies may be deliberately defying GDPR, it is argued today.
A new piece suggests two reasons for companies not complying with one of the General Data Protection Regulation’s key requirements …
One of the rights granted to EU citizens under GDPR is that they can ask for their data to be deleted, and it is this one which scares companies, suggests TNW’s Amnon Drori.
The first reason might be a simple calculation that the data is worth more than the likely fine for non-compliance. Although the maximum fine is an eye-watering 4% of global turnover, the expectation is that this would be reserved for the most egregious cases. Companies may take the view that first they have to get caught, and then they most likely face a much more modest fine.
But the second reason may, argues Drori, be more understandable: fear of breaking their IT systems.
Look at any database, and you’ll see two parts: the data itself and the field name or metadata. If you take an individual database, things are fairly straightforward—each field has a name, and each field is input with data.
But what happens in an organization where several databases exist, built by different people and used by different departments? […] Just mapping their data and getting a full picture of what they have and how it all interconnects is a Herculean task for most organizations—one that many don’t have under control.
On top of that, there’s the additional problem of masked fields, which obscure the field name in order to protect sensitive data, which even some employees may not have clearance to know. When it comes to the big picture of data organization, masked fields create an even bigger mess, as identifying what’s in each field and how it matches to fields in other databases becomes nearly impossible […]
Without understanding how the data is mapped—or in the case of masked fields, what fields are being looked at—then it’s not necessarily understood what’s being deleted.
Deleting a field without knowing the web to which it’s connected could lead to incorrect reports, incorrect data, and a domino effect throughout a company’s entire system.
As for Apple, the company has a stated commitment to rolling out GDPR-standard privacy protections for all its customers worldwide. We haven’t yet seen any details for the allegation made against it, but we should learn more once the complaint is investigated.