WikiProject |Analysis

World business prepares for EU data protection rule

Help us report on whether Europe’s impending new law – the General Data Protection Regulation (GDPR) – is a progressive step towards protecting privacy on the internet.  The GDPR comes into effect on May 25 with the intention of giving EU citizens more control of their information, making it the biggest shake-up in privacy rules since the birth of the internet.  Businesses that deal with personal data will eventually have to overhaul the way they operate. We want to explore what this means for data privacy: will it help or hurt citizens? 

Questions we’d like to explore:

  • What does the GDPR mean for users?
  • How does it affect businesses?
    • US companies must also consider the requirements of the EU-U.S. Privacy Shield Framework, see this factsheet.
  • How are businesses preparing for its implementation?
  • What does privacy mean to you? Especially online?
  • What is considered to be “personal data”?
  • Do you believe GDPR will really benefit citizens? Basically, will it work?
  • Data Protection Officers are increasing in number – what do their roles entail?
  • What upsides for society will the EU walk away from due to GDPR? For example, Facebook’s AI for suicide prevention will be deployed globally except EU. Another example is Article 29 on automatic decision-making, where potential benefits of non-biased automatic systems for credit-scoring, talent screening, etc., might not be deployable in the EU.

Key facts we think are central to this story:

  • The regulation will affect organizations outside the EU, as it extends to any that process EU citizens’ data.
  • The EU doesn’t give specific guidelines on how to implement GDPR. Companies have to interpret the regulation to their respective contexts.
  • Under GDPR, individuals will have more rights, including the right to be informed, to be “forgotten” and to object.
  • Brexit won’t affect it – meaning the UK has to conform.
  • Accountability is at the heart of the regulation.

Interviews so far, or sought, include: 

Who or what would you add to this story? Use EDIT to add to directly or tell us in TALK

Talk (23)

Angela Long

Angela Long

"Thanks for the support, Nino. We are ..."

Nino Dvoršak

"10/10 This is the kind of projects t..."

Tzu-Hao Kuo

"I planned to write about marketing, b..."

Tzu-Hao Kuo

"Thomas Janovsky, the director of Atto..."

Started by

United Kingdom
Linh is a staff journalist at WikiTribune with a background in the humanities. She covers the Middle East, Asia, conflict and technology. Though based in London, she has freelanced across Asia, the UK and U.S.

History for Story "World business prepares for EU data protection rule"

Select two items to compare revisions

01 March 2018

13:49:43, 01 Mar 2018 . .‎ Ed Upright (Updated → update)
03:26:05, 01 Mar 2018 . .‎ Cheryl Stephens (Updated → add resource for info)
03:18:34, 01 Mar 2018 . .‎ Cheryl Stephens (Updated → new source, commercial services provider)

21 February 2018

11:18:08, 21 Feb 2018 . .‎ Linh Nguyen (Updated → Accepted Olof's edits)
11:08:14, 21 Feb 2018 . .‎ Olof Hernell (Updated → Added bullet on Questions to explore)

20 February 2018

14:23:37, 20 Feb 2018 . .‎ Linh Nguyen (Updated → update)
10:52:49, 20 Feb 2018 . .‎ Linh Nguyen (Updated → update)
09:58:28, 20 Feb 2018 . .‎ Fiona Apps (Updated → )
09:48:30, 20 Feb 2018 . .‎ Fiona’s Test User (Updated → testing)

19 February 2018

15:25:30, 19 Feb 2018 . .‎ Angela Long (Updated → de-heroing)
15:24:56, 19 Feb 2018 . .‎ Angela Long (Updated → head)
14:52:20, 19 Feb 2018 . .‎ Linh Nguyen (Updated → removed hero)
14:51:36, 19 Feb 2018 . .‎ Linh Nguyen (Updated → thumbnail)
14:37:26, 19 Feb 2018 . .‎ Angela Long (Updated → EU link)
14:36:04, 19 Feb 2018 . .‎ Angela Long (Updated → save)
14:34:00, 19 Feb 2018 . .‎ Angela Long (Updated → mine)
14:33:32, 19 Feb 2018 . .‎ Angela Long (Updated → tweaks)
14:20:52, 19 Feb 2018 . .‎ Linh Nguyen (Updated → )
14:18:35, 19 Feb 2018 . .‎ Linh Nguyen (Updated → update)
12:14:12, 19 Feb 2018 . .‎ Linh Nguyen (Updated → created rough draft of call out)
12:11:19, 19 Feb 2018 . .‎ Linh Nguyen (Updated → created rough draft of call out)
12:04:12, 19 Feb 2018 . .‎ Linh Nguyen (Updated → created rough draft of call out)

Talk for Story "World business prepares for EU data protection rule"

Talk about this Story

  1. Other

    This is the kind of projects that quality WikiTribune reporting should gravitate around. The kind of things you don’t pick up randomly elsewhere.
    But also keep reporting on the short news that big media forgets to cover. Keep it up

    1. Rewrite

      Thanks for the support, Nino. We are trying all the time!

  2. Hey Lihn,

    Fantastic to see this being put together I work in digital and this is a monumental piece of legislation. I’d like to introduce you to and suggest interviewing:

    Mariella Thanner, COO and Co-Founder of Cybersmart

    They are a UK startup that automates cyber compliance for SME’s. Cyber essentials, CE+ and soon GDPR & PSI.

    Backed by GCHQ’s first cyber accelerator cohort, seedcamp & cylon.

    Let me know if you’d like an introduction.


  3. Other

    I am curious about whether the change will influence criminal investigation? Shall we also include some comments from law makers or prosecutors?

    1. Rewrite

      I am also curious about this too. Do you have any lawmakers or prosecutors in mind you’d like to see comments from?

      1. Rewrite

        Thomas Janovsky, the director of Attorney General Bamberg, and Markus Koths, a German police officer responsible for cybercrimes, may be suitable people.

  4. Other

    It is not only businesses and public bodies that will be affected. Private individuals will also have to be aware.

    I am a committee member of a local U3A group in the UK (University of the Third Age – playtime for the almost senile). Our group has just over 300 members – the total national membership is around 250,000 and there are 1,000 groups around the UK. As it is a charity, I have the status of a trustee, which is effectively, in legal terms, equivalent to being a director. At our monthly committee meeting this morning we discussed the changes from the DPA 1998 rules to the GDPR. There will be increased security requirements as well as re-educating people who have difficulties with electronic communications in the first place. We have a number of sub-groups, which are mainly educational, but some are social. For various reasons, including public liability insurance, each sub-group needs to keep a register of attendees, which should be communicated to a group co-ordinator.

    Attempting to convince 80-plus year old ladies (this is not sexist, most of the group leaders are female) of the necessity to submit data sheets each month is a losing battle! Many of them have no interest in “The Interweb”, as I have heard it called. As a committee, we are fairly confident that we will be compliant, but we are in the process of checking all our processes and risks for almost every file in the system, because almost all of them hold personal data.

    Now this may be seen as a “costless” process, because the U3A is a voluntary organisation. However, it can be extremely time-consuming and our Webmaster’s hairline has receded by an inch in the past few weeks!

    1. Rewrite

      That’s very interesting to hear Peter. There does seem to be a generational gap on the importance of ‘personal data.’ What particular things do these ladies say to you when you try to convince them of the necessity of submitting data sheets?

  5. Rewrite

    Seeing as the GDPR is coming out on the 25th of May, we have four ‘pre-annviersaries’ we can use (25th February, 25th March, 25th April, and then the 25th of May).

    It might make sense to try and publish a story about this on each date?

    My background is in law, and for the first date (25th February) I’m happy to write a research piece that looks at the history of data protection in Europe, how it compares with England and America (as two major common law systems in comparison to the EU civil systems), and what prompted the GDPR.

    Thoughts? Can other people commit to writing three more pieces?

    1. Rewrite

      I am an informatician. Maybe my background can also be helpful in this series. How do you think if I write some report about IT companies. I think they own quite a lot of personal data. (Not so sure if these companies have something released though.)

      1. Rewrite

        That could work – what specific things will you tackle in the report?

        1. Rewrite

          I planned to write about marketing, but there is already a lot about it. Let me think a little bit more to find a interesting and novel topic.
          Any suggestion is welcome.

    2. Rewrite

      Hi Damiano, that’s a fantastic idea. The series might be more difficult to deliver considering time and getting people to do it, but I would definitely love to read the research piece you’ve suggested. Will it be an explainer type piece?

      When you do think you can get the piece done by? I’m happy to help anyway I can.

      1. Rewrite

        I was indeed thinking about an explainer.

        I’ll try and get it done by Friday 23rd and post it in the talk section so people can add anything they want?

        My background is much more on the European side, so any help with American treatment of privacy would be appreciated.

        1. Rewrite

          No worries, I’ll connect you with our U.S. editor Chuck Thompson who is happy to help you edit the piece as well as provide an American perspective.

          What is your email address?

          And there’s no need to post it in talk, you can just save it as a draft which people are free to contribute to. Please read our journalism guideline to help you get started:

          1. Rewrite

            I like the anniversary ideas and of breaking it down.

            I’d be interested to think through how you’d digest it though:

            I think there’s some work to be done around putting this in historical context. For those within Europe, some of the aspects people are most worried about are actually already in the European Directive.

            There is an argument to be made that there is little new about the consent requirements (was ambiguous consent ever really sufficient!?) but some EU countries never seemed to embrace a zealous approach to rights, this law is a clarification so there can be no misunderstanding… plus an enforcement regime to ensure boards sit up and take note.

            Then you can perhaps highlight what’s new separately (e.g. the new rights, the idea that it has a global jurisdiction if you want to hold data on EU citizens or sell into Europe!)

            1. Rewrite

              Thanks for this. I think the question of whether this directive simply ‘repackages’ is an interesting one, and hopefully one that we can explore in our first ‘context’ piece. I’m in the process of starting to write it. It will be in the usual draft area. So feel free to head over and add anything you think pertinent.

  6. Other

    For many the headline of ‘world prepares’ is a bit of misnomer. I work with many businesses most of whom are at quite early stages of dealing with the issues raised by GDPR.

    In particular, there’s a great deal of confusion about what it means in practical terms and an assumption, for many, that as long as their intentions are honourable everything else will be OK. In reality, of course, this will be most people’s experience and so will justify their decision not to make many changes.

    That’s to miss an important opportunity, as well as to fail to properly mitigate the risks inherent in, basically ignoring regulation. The opportunities arise because those that do this well will:

    – Talk to fewer people, but in a much more relevant way, so driving up conversions (to whatever the goal of the conversation was).
    – Be much clearer about what data will be used for and why it is important. Whilst that will put some people off it will increase confidence for those that choose to share (provided of course that it is only used in a stated way) – I think that will ultimately lead to more relevant sign-ups because the risk of being spammed will fall.
    – I think it will make companies more inquisitive about where internet-based data is stored, shared, and used since they will be responsible for the actions of those who provide services that they use.

    Those who do all of this well, do it transparently, do it with honour will get a much better result, and I think that may lead to GDPR being seen as the nudge the world needed to create a virtuous circle of openness and collaboration between companies and their (potential) customers.

    1. Rewrite

      Thank you for your thoughts William, I agree that there is a great deal of confusion in practical terms, as it seems every company is expected to implement it in their own way.

      I’d love to hear more about how the businesses you work with are dealing with the issues raised by GDPR, despite it being quite early stages. Thanks, Linh

      1. Rewrite

        Mostly, they are not dealing with them!

        I think there’s a lack of ownership of the issues. Sometimes management is delegating to people who don’t have the knowledge or authority to look across the whole business and it often sits in one department or division, with little oversight.

        I encourage leaders to take an interest in the opportunities rather than considering it a (solely) regulatory issue. Invariably once there’s a recognition that GDPR is also about being open and honest with the business contacts that matter, it becomes much easier to champion.

  7. Other

    Hope talk is the right place to share some background, opinions and links?

    I think it’s holds the potential to be a significant change, but that hinges on the regulators actions.

    If senior management buys in, you get a role who should be acting as an advocate for individuals rights, has a protected ability to report to board level and independently raise concerns.

    They should also be an ally for the business helping them navigate the legal complexities. Perhaps their most serious power is that if executives overrule a DPO they would need to account for why as part of a regulatory investigation. So they need to think carefully about their choices.

    Ultimately I think it’ll come down to enforcement. If many businesses (in the UK) ignore GDPR as they did DPA 98 then DPOs and the regulator is nowhere to be seen then a reasonably low ranking internal auditor may think twice about challenging senior management over their use of the “digital oil” that is data.

    Inversely an active regulaor empowers the DPO to offer the carrot of helping them prepare for the inevitable whilst avoiding the regulatory stick.

    In the UK I sense the ICO is struggling. They are underfunded and pay less for case workers than the DPOs embedded in businesses, which concerns me.

    DPOs will only be a neccisary ally for business connecting rights and freedoms if senior management fear a credible reputational risk (the public seem capricious about their privacy sometimes) or if the regulaor scares them silly and a DPO is empowred to allay their fears.

    Good DPO resources for the UK:

    The ICO:

    The regulation itself:
    Article 37-39 + recital 97

    I also highly recommend the blogs as general sources and their authors as interview candidates:

    1. Rewrite

      Hello Huw, thank you for your thoughts and the information you provided, I found them very helpful. Can you also expand more on why you sense the ICO is struggling?

      1. Rewrite

        # One half is merely anecdotal:

        1. in the past few months I’ve called for advice on several occasions and been unable to get through after around 2-5 minutes. Earlier in 2017, wait times appeared much less.

        I’ve also rarely seen their web chat client available in recent months – which was usually always accessible in working hours. My suspicion is that staff providing advice may be heavily loaded currently. That page would need to be reviewed more systematically however to confirm a trend.

        Their website also went down for a period recently during working hours.

        We likely won’t know of sure until the publication of their next annual review in Summer (2016/17 version: which has stats on caseload and response times.

        2. Also whilst their advice is improving all the time, we’re still only just getting some key elements. You can see the development of the legal basis section on the waybackwhen machine:*/

        My personal view is that legal basis is the heart of this regulation, if you don’t know why processing is legal you won’t know how you can use it, share it, keep it or anything else. Yet this guidance is really still only just coming online. This has been a little nailbiting if you’ve been preparing across the year.

        # The other half is more deductive but very much an outsiders view:

        Alongside the Annual Report we got the Information Rights Strategic plan for the UK (link:

        The commissioner identifies their own challenges (p4-5) as keeping up and growing their workforce at a time where these skills are in demand.

        I have no data on how successful they’ve been on that, but I suspect it’s hard. There are interesting comparisons to be made between the ICO vacancies page ( and rates for staff vs what you see advertised for expertise elsewhere, especially in the private sector. It must be a challenging time to recruit.

        Until October there was also uncertainty on the ICO’s funding model, at least externally. Currently organizations pay a fixed or discounted fee to gain an entry on a register (much likes companies house but for data protection). We’ve known for a while that would go, but not how the ICO would fund itself (note they do not keep receipt of any Civil Monetary Penalties).

        In this blog: we found out some, but not all of the details.

        I imagine they’ve been able to model scenarios and have had confirmations for a bit longer than we’ve known, but it can’t have helped to have revenue uncertainty or an unannounced funding model during a period where you needed to grow a workforce.

        So my use of ‘struggle’ is mostly me wondering how they could not be. They’ve got moving goalposts of legislation (the Data Protection Act is still in the commons), pan European advice (WP29 still publishing), their funding seemed unclear earlier this year, and they’re recruiting in a competitive market, with limited expertise offering Wilmslow wages where some big firms elsewhere are offering double.

        We’ll know for sure in the next annual report – until then every time I can’t get through on the support line I suspect they’re experiencing a challenge.

Subscribe to our newsletter to receive news, alerts and updates

Support Us

Why this is important and why you should care about facts, journalism and democracy

WikiTribune Open menu Close Search Like Previous page Next page Back Next Open menu Close menu Play video RSS Feed Share on Facebook Follow us on Twitter Follow us on Instagram Follow us on Youtube Connect with us on Linkedin Email us Message us on Facebook Messenger Save for Later