What am I talking about? GDPR, that wonderful legislation by the EU which will "protect" our data. All very good, all very laudable. All very BS. I know quite a bit about this, I have to because it impacts my world so much. GDPR comes into effect on Friday.
Go on, admit it, who's mailbox is filling up with "Our GDPR team recently reached out to you."? Mine certainly is. I've been watching the intensity build and am highly amused by it all in a morbid way. I have predicted, for a while now, that GDPR is going to make all our lives a hell of a lot harder and more expensive. Most people in the business simply didn't believe me or didn't think that it was that momentous. Well until they got the consultancies in to explain to them exactly what it meant.
So, today, I saw the very first indications of what GDPR is going to mean for the average person in the street. Safer data you might think? Actually, no, nobody is really saying your data will be safer, that is not quite what GDPR is about. What I'm talking about is this.
OK you say, but I don't play computer games so why is this relevant to me?
Well let's read some of the statements there.
The new regulations will require more overt explanations of private data being collected, how it will be used, and—in specific cases—the hiring of a Data Protection Officer to oversee compliance.
With me so far? It sounds quite good doesn't it.
As a result, the cost of doing business in Europe is about to go up. It costs to come into compliance with the new directives, and it’ll cost more to operate in Europe going forward.
Getting there, but here is the first indication that the writer of the article doesn't fully know what they are talking about.
Some companies are already feeling the burden. “I'm very sad to announce that Loadout's end of service will be on 5/24/2018,”
Predictable... Especially the blame on GDPR.
Now comes some of the fun stuff.
The GDPR requires companies collecting data have to make that data available to customers upon request within one month, totally free. If that customer wants their data deleted, the company must also be able to completely scrub them and all their data from its systems.
One month seems quite reasonable. Now let us say that you have 1 billion users and 10 million of them ask for ALL of their data.
The second part is more interesting. Completely scrub their data. Now back in 1998 I worked on the Philips Y2K email migration project. I totally re-designed their data storage and the cost, for the re-design, not the storage, was $3 million. Later in the project we realised that we had totally missed the entire backup architecture. We did a back of a fag packet cost structure on an infrastructure which could actually back it up. Philips had a standard of one fully copy on site and off site for every week, one fully copy monthly on site and off site and one full copy off site annually.
We estimated that the cost of providing that backup infrastructure was three times the entire hardware budget for the entire company. Which, at that time, stood at 360 servers and 30tb of storage made up of individual 9.6gb disks. Over 3,000 disks, 2,600 of them in one data centre in Eindhoven (it was quite large).
Now, after that long intro into what I just said, imagine you want to scrub 7 years worth of even 1 users data. Not just from the running systems, not from the running and disaster recovery systems but from your entire backup archive, your specialised indexing servers and their backups, from your legal databases and their backups.....
Even worse is when you realise that most systems are based on other systems....
Cohen said he can’t just update his old systems to work in the new system. “Loadout is dependent on legacy third party services that are being discontinued rather than overhauled for GDPR compliance,”
So why is everyone in a fuss, Data Protection has been there for a long time now, it's just another one isn't it. Big deal we'll just get our hands smacked if we get it wrong.
The potential penalties are astronomical—up to 20 million Euros per infraction or 4% of revenue, whichever is greater."
"per infraction"? Yep, panic...
And the impact continues
Loadout is far from the only game GDPR is killing. Free-to-play MMORPG Ragnarok Online is shutting down its European servers. The MOBA-style shooter Super Monday Night Combat is also shutting down.
Here we get into another little misconception too. Shutting down European servers.
Why do I say that? Because GDPR does not just impact systems and data on European servers. It impacts ANY system Anywhere in the World that contains data About a European Citizen.
This article is just the first act. What we are going to see, in the future, is that EU citizens are going to be locked out of International games and other systems to avoid DGPR impact. Making EU citizens second class citizens on the world stage.
Even more interesting is that the EU will be demanding that Every new trade deal can only be signed up if the country in question agrees to GDPR being implemented by the other country. Which, I expect, means that the EU's last large trade deal will be signed with the UK. I can't see China, Russia or the USA agreeing to those terms.
Unintended consequences? We shall see.