This is an Accepted Manuscript of the article published by Taylor & Francis in EDPACS , Volume 57 Issue 2, available online: https://doi.org/10.1080/07366981.2018.1426929.
Abstract
GDPR is not an easy read, so most do not read it. However, being unfamiliar with it can affect the approach businesses take to data protection negatively. This article aims to provide a method and a process of making GDPR digestible and workable. A historical background and a generic explanation of the European legal system are provided to set the context in which the regulation exists. A simple method of getting a grasp on GDPR by using mind maps follows this contextual setting. A case is made for using mind maps highlighting the need to empower the mind to consolidate the immediacy of perception and to store information effectively in long term memory. The process of creating action items from the sense making described enables the reader to have a better understanding of the structure and the intent of the regulation. The key benefits of the method and the process conclude the article.
Discussions around General Data Protection Regulation (GDPR) are heating up. This is not surprising as the date it comes into effect is drawing nearer. What’s troubling is the increasing negativity around it. Scaremongering, misinformation and mostly, ignorance and confusion leading to unnecessary fear; not even reputable organisations or individuals are immune to these flaws.
It reminds me in some ways of the hype surrounding the Y2K problem. Hysteria was created around a not well understood problem at the closing of the last millennium. Suddenly, every product a vendor had was offered as a solution to Y2K, whether it was a tyre tube repair kit, a roof tile or a software application. Dire warnings prompted the investment of millions of dollars to prevent “the end of the world”, as Time has put it in the January 18, 1999 issue[1]. Well, we are still here, aren’t we? So are the many cans of food that – just in case – believers stored in their bunkers.
Almost two decades later the classic Y2K scenario seems to be re-created. The root of the problem points to the fact that the GDPR is not an easy read, so most do not read it. They might read about it, but don’t read the Regulation itself; remaining unacquainted with what it actually says. Many raise questions that a careful read of the Regulation would sufficiently answer. Others make authoritative statements, not necessarily being right, but never in doubt.
Sadly, this behaviour seems to be irrespective of the geographical location or the professional background of the authors. Yet, it must be pointed out that unfamiliarity can’t be replaced by ignorant self-confidence. Unfamiliarity begets uncertainty, breeding fear that can be elevated to hysteria. This hysteria is exploited then by the many self-appointed “solution providers”, who themselves didn’t read the Regulation either. Do I overstate the case? I certainly hope so, but have a feeling I don’t.
It doesn’t have to be that way. As I shall say in a few moments, such exploitation can be prevented by reversing the process leading to hysteria. The topic I’d like to bring your attention to in this article is how unfamiliarity with GDPR can be removed. I aim to show this in two ways: by providing insights into the historical processes and the legal context that led to the GDPR and by describing a sense making method, understanding the content of the Regulation by using mind maps.
Historical background
General Data Protection Regulation is the more memorable acronym for Regulation (EU) 2016/679[2] that comes into effect on the 25th of May, 2018. It replaces Directive 95/46/EC[3] on the protection of personal data; extending it in both material and territorial scope. What this means is that its impact goes beyond the boundaries of the European Union, most likely having a worldwide effect.
The topic I’d like to bring your attention to is that things do not exist in isolation in this world. Getting a good grasp on the content of GDPR requires the understanding of the origin and growth of the regulation as well as the intellectual, economic, political and social processes that brought it about. For a rationale of this statement see On Education – Part 2[4].
As a background, one might want to look at the history of the European Union. A fitting starting point would be to go down in memory lane to the European trade blocs after WW II. The two most relevant are the European Economic Community (EEC, 1959), and its counterpart, the Council for Mutual Economic Assistance (CMEA or COMECON, 1949) of the Soviet Bloc. There are two interesting aspects of the latter: the barter transaction system and the Council’s 596 legal agreements on citizens’ rights (ius civile).
We also must not omit mentioning to consider how individual citizens were viewed and their privacy and personal data treated in the ex-Soviet Bloc countries. Just as an example, in at least one particular country some of the National Identity Booklet entries were:
name,
date and place of birth,
occupation,
professional training,
professional qualification,
education,
army ID number,
personal ID number,
mother’s maiden name,
father’s name,
parents’ occupation,
employer’s name and address,
employment start date,
permanent address,
temporary address, and so on…
The ID Booklet had to be carried all the time and be presented to any officials who asked for it. These officials then had the right to copy any and all of these records for their own purposes.
This is rather difficult to comprehend though. I am not sure whether those who did not live in that environment would be able to understand it. However, it is not impossible. The point I am at pain to make is that large amount of data was collected and retained even when it was not necessary. The protection of individuals with regard to accessing and processing of such data was almost non-existent.
Having this background would help to understand the challenges faced at the enlargement of the European Union (EU). It’d be foolish to deny that this whole adventure was full of certain problems that had to be overcome. In this connection, it may be valuable for the reader to know that two rather opposing mindsets – political, economic, cultural, and so on – needed to be integrated. As the PHARE (Poland and Hungary: Assistance for Restructuring their Economies) Programme[5] (starting in 1989) is directly related to this, it is worth reviewing it before looking at the number of regulations preceding GDPR.
Continuing from that, the next step would be to read Directive 95/46/EC, and then Directive 2002/58/EC[6]; at least the first 12 Recitals of each. These two Directives are direct precursors to GDPR, so they are almost mandatory reading anyway. There are other antecedent Directives and Regulations, such as Directive 2000/31/EC[7], Regulation (EC) No 45/2001[8] and Directive 2006/24/EC[9], but these have less importance in my opinion than the first two.
Legal background
The two treaties setting the basis of EU law are the Treaty on European Union[10] (TEU, 1992) or Maastricht Treaty, and the Treaty on the Functioning of the European Union[11] (TFEU, 2007). Reading these Treaties and the above Regulations helps to comprehend the structure and the drafting process of European secondary law, which GDPR is. As such, it has a binding legislative force[12] and has standard presentation and formulations[13]. Precision, clarity and simplicity are fundamental requirements to provide legal certainty. However, due to complexities in the drafting process and legislative procedures, some of these requirements can be sacrificed sometimes, to achieve consensus between the representatives of member states. This may result in a compromised wording that may affect the simplicity and quality of the legislation.
It is worth pausing here for a minute to say something about the EU legal system in general. Indeed, we may go this far, stating that on a more generic level, EU law is inquisitive in nature, rather than adversarial. A main feature of such a civil law system is that codified statutes (the Corpus Juris Civilis) list core principles as the main application source of the law, as opposed to cases serving as precedents, as in common law. The judge, acting as the chief investigator establishes the facts of the case and makes rulings – applies the provisions of the codified statutes – that are not necessarily binding to other judges. Therefore, each ruling might be slightly different.
The Articles in GDPR can be considered as the codified statutes (operative part). The Recitals facilitate the understanding of the meaning of the Articles, as the interpretive tools that supplement the operative parts of the Regulation. They also enable the application of the provisions of these codified statutes.
Another aspect of European law making – especially secondary law – is that it is forward looking instead of backward looking. Anticipated problems are addressed early on. Consider for example Case C-131/12[14], Google Inc. versus MC González; its rationale and its influence on the “right to be forgotten” concept that is dealt with in Article 17 of GDPR. Paragraph 93 of the ruling is especially illuminating how practical applicability is foreseen and considered early on. Compare this ruling and Article 17 for example with the creation and application of Public Law 107-204, 116 STAT. 745[15] (the Sarbanes-Oxley Act of 2002) following the corporate and accounting scandals of Enron, WorldCom and others.
Directive 95/46/EC and Directive 2002/58/EC together with the historical information described above provide a reasonably accurate context for GDPR. I understand it requires a bit of reading, but it is time and effort well spent. It follows from all this that equipped with such context and background, GDPR would make a lot more sense.
Sense making of GDPR
Once the background and context of GDPR is better understood, one can look at the structure and content of it. The latter cannot be accomplished satisfactorily without the first. Most abandon reading through GDPR though, because the linear layout is not easy to comprehend.
As stated earlier, GDPR follows the typical structure[16] of EU secondary law, as shown below.
It starts with 173 Recitals, setting the rationale for the 99 Articles (provisions) of the Regulation. As it is written in the usual bureaucratic language, reading it is quite a bit of a challenge. One needs to keep in mind the drafting process as well; the fact that the final text is the result of a long negotiating process and it gets worded to satisfy each participant’s requirements.
There is a lot of detail in the provisions, so it is quite easy to get confused or lost in the text. My aim here is not necessarily providing a much-needed clarity, but rather describing a possible way to get a reasonable understanding of the Regulation. I am using a purposely plain, non-technical language as much as I can to avoid contributing to the prevalent confusion.
I started with creating a mind map to make sense and to have a grasp on the Regulation. Listing the chapters of the Regulation gave me a high level, general understanding of the content. A second mind map was created with the added details of the Sections in each chapter. A third mind map included the Articles of each Section. Further details, like the numbered Paragraphs were added in the fourth mind map, and Points in the fifth. In the two last mind maps the Recitals were mapped to the Articles, and the Articles to the Recitals, completing the mind maps.
Harnessing how the mind works
The rationale for this is that mind maps are helpful as aids to study, to organise and consolidate information. The main advantage of using mind maps is in the process of creating them, as it harnesses the plasticity of the brain and the nature of the mind.
The mind does not work in a linear, top down fashion, but works rather like a magnet, drawing information from all directions. This is considered as the immediacy of perception. The information is stored in short-term-memory that can be considered as the notepad of the mind. On the other hand, long-term memory is the seat of understanding, the place of schema, where the concepts are built and stored. We keep things in short-term memory for about a minute, while long-term memory stores information for life.
The immediacy of perception needs to be consolidated. In order to retain those perceptions, short term-memory items need to be transferred to long-term memory. In this process, however, anatomical changes occur. Biochemical processes take place and new proteins are synthesised. Therefore, long-term memory creation – and consequently learning – takes time. Added to this is a bottleneck in the hippocampus of the brain, hindering the swift transferring of our cognitive load.
Another aspect is the topographical arrangement of neurons in our brain, creating nerve or brain maps for every function or thought. As we think, we generate, visualise, structure and classify ideas, making our nerve or brain maps more detailed. These maps can change their size, border, even location. However, the competitive plasticity – which is an intrinsic property of our brains – means that brain maps compete for cortical real estate. If we do not consolidate and use a given nerve or brain map, it can shrink and thought or memory will be lost.
“Our writing tools are also working on our thoughts”[17] (Nietzsche, as cited in Kittler 1999, p. 200), but perhaps more importantly they assist with transferring and consolidating short-term memory to long-term memory. This is where creating mind maps are useful. They can reduce the cognitive load, consequently speeding up the transfer. Information recall will be more effective and information review will also be more rapid.
Translating sense making into action items
Once the mind maps of the Regulation were developed, the real – and fascinating – work began. I applied colour coding to stimulate visualisation and to aid creative thinking. Red colour was applied to the parts that would attract penalty if breached. Further colour coding was used, highlighting parts that are most relevant in my territorial scope. I also emphasised areas by different colours that I – as an information security professional – needed to take care of, or other areas that the general counsel should be aware of. Other colours represented areas where work needed to be done. This provided the necessary focus and clarity, and enabled me to have a good understanding of the structure, the intent and the regulatory regime in the process.
Achievements through the work
The mind mapping tool I used had the facility to export the mind maps into different file formats, such as Adobe, Microsoft, and so on. This feature enabled me to save my mind maps in MS Project and to create a work breakdown structure (WBS) quite easily. Presentations for senior management were consequently also easy to create. So, the mind maps ended up as actionable item repositories, not just as a visualisation of the Regulation.
The above work was quite laborious, but beneficial. I could see how the sections of the Regulation fit together. I could see immediately the areas I had to pay most attention to. Having multiple mind maps enabled me to step back and take a higher-level view if I felt that I was getting lost in the details.
Having the mapping of Articles to Recitals and vice versa aided speed and – consequently – responsiveness. During a discussion about data inventory or data processing register, I could identify Article 30 amid the confusion of what is actually required very quickly. Seeing immediately Recital 13 and 82 as the related explanations, I was able to provide much needed clarity. The conversation then could move to discussing practical solutions, relevant to the participants.
Using mind maps reduced the temptation to follow the linear method of note taking. Ideas could flow freely and plans could be formulated while the mind maps were created. As discussed earlier, cognitive load was reduced both to store and to recall information, harnessing visual memory. I am aware of course that the benefits might be different for each person. Yet, it is reasonable to argue that it is a plausible idea.
Final words
I hope this gives some perspective for those who are concerned about GDPR. Given the facts we must conclude that the changes and shift of focus from individual data subjects’ responsibility to data collectors’ responsibility happened for a number of reason. These reasons can be identified in the historical and legal background.
I have tried to show that the complexities of reading the Regulation can be overcome. I can say no more, than this, for each person must decide how to enact these ideas. Have fun with it instead of sweating over it. Don’t wait until the Tyranny of Urgent[18] dictates your actions.
I also hope that this method described here helps to de-mystify the Regulation and to reduce fear, uncertainty and the unnecessary hype surrounding it. Misguided authoritative statements based on ignorance can then be reduced.
And remember: ignorance is not a virtue!
Notes
[1] Lacayo, R., The End Of The World As We Know It?, TIME Magazine, Vol. 153 No. 2, viewed 05 February 2018, <http://content.time.com/time/magazine/0,9263,7601990118,00.html>
[2] EUR-Lex, Regulation (EU) 2016/679, viewed 05 February 2018, <http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=en>
[3] EUR-Lex, DIRECTIVE 95/46/EC, viewed 05 February 2018, <http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31995L0046&from=en>
[4] Bihari, E., 2016, On Education – Part 2, viewed 05 February 2018, <https://www.linkedin.com/pulse/education-part-2-endre-bihari/>
[5] European Parliament, Briefing No 33, The PHARE Programme and the enlargement of the European Union, viewed 05 February 2018, <http://www.europarl.europa.eu/enlargement/briefings/33a1_en.htm>
[6] EUR-Lex, DIRECTIVE 2002/58/EC, viewed 05 February 2018, <http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32002L0058&from=EN>
[7] EUR-Lex, DIRECTIVE 2000/31/EC, viewed 05 February 2018, <http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32000L0031&from=EN>
[8] EUR-Lex, Regulation (EC) No 45/2001, viewed 05 February 2018, <https://publications.europa.eu/en/publication-detail/-/publication/0177e751-7cb7-404b-98d8-79a564ddc629/language-en>
[9] EUR-Lex, DIRECTIVE 2006/24/EC, viewed 05 February 2018, <http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32006L0024&from=EN>
[10] EUR-Lex, Treaty of Maastricht on European Union, viewed 05 February 2018, <http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=LEGISSUM:xy0026&from=EN>
[11] EUR-Lex, The Treaty On The Functioning Of The European Union, viewed 05 February 2018, <http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012E/TXT&from=EN>
[12] European Union, Regulations, Directives and other acts, viewed 05 February 2018, <https://europa.eu/european-union/eu-law/legal-acts_en>
[13] European Union, Joint Practical Guide of the European Parliament, the Council and the Commission for persons involved in the drafting of European Union legislation, viewed 05 February 2018, <http://eur-lex.europa.eu/content/techleg/EN-legislative-drafting-guide.pdf>
[14] Google Spain SL v Mario Costeja González, (2014), Case C-131/12, viewed 05 February 2018, <http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:62012CJ0131&from=EN>
[15] Sarbanes-Oxley Act of 2002, Public Law 107-204 107th Congress, viewed 05 February 2018, <https://www.gpo.gov/fdsys/pkg/STATUTE-116/pdf/STATUTE-116-Pg745.pdf>
[16] European Union, Interinstitutional Style Guide, viewed 05 February 2018, <http://publications.europa.eu/code/en/en-120000.htm>
[17] Kittler, F., 1999 Gramophone, Film, Typewriter, trans. G. Winthrop-Young and M. Wutz, Stanford University Press, CA, USA
[18] Bihari, E., 2016, Urgent or Important?, viewed 05 February 2018, <https://www.linkedin.com/pulse/urgent-important-endre-bihari/>