Full Terms Conditions of access and use can be found at [613229]

Full Terms & Conditions of access and use can be found at
http://www.tandfonline.com/action/journalInformation?journalCode=uedp20
EDPACS
The EDP Audit, Control, and Security Newsletter
ISSN: 0736-6981 (Print) 1936-1009 (Online) Journal homepage: http://www.tandfonline.com/loi/uedp20
GDPR – A Y2K-II for Business?
Endre Bihari
To cite this article: Endre Bihari (2018) GDPR – A Y2K-II for Business?, EDPACS, 57:2, 1-9, DOI:
10.1080/07366981.2018.1426929
To link to this article: https://doi.org/10.1080/07366981.2018.1426929
Published online: 08 Mar 2018.
Submit your article to this journal
Article views: 165
View Crossmark data

EDPACSTHE EDP AUDIT,
CONTROL, AND SECURITY
NEWSLETTER
2018 VOL. 57, NO. 2
GDPR –A Y2K-II FOR
BUSINESS?
ENDRE BIHARI
Abstract. GDPR is not an easy read, so most do not read it. They might read about
it, but don’t read the Regulation itself ; remaining unacqu ainted with what it
actually says. Such unfam iliarity can affect the approach businesses take to
d a t ap r o t e c t i o nn e g a t i v e l y .T h i sa r t i c l ea i m st op r o v i d eam e t h o da n dap r o c e s s
of making GDPR digestible and workable. A historical background and a generic
explanation of the European legal system are provided to set the context in which
the regulation exists. A simple method of getting a grasp on GDPR by using mind
maps follows this contextual setting. A case is made for using mind maps
highlighting the need to empower the mind to consolidate the immediacy of
perception and to store information effectively in long term memory. The
process of creating action items from the sense making described enables the
reader to have a better understanding of the structure and the intent of the
regulation. The key benefits of the method and the process conclude the article.
Discussions around General Data Protection Regulation (GDPR)
are heating up. This is not surprising as the date it comes into
effect is drawing nearer. What’s troubling is the increasing nega-
tivity around it. Scaremongering, misinformation and mostly,
ignorance and confusion leading to unnecessary fear; not even
reputable organizations or individuals are immune to these flaws.
It reminds me in some ways of the hype surrounding the Y2K
problem. Hysteria was created around a not well understood pro-
blem at the closing of the last millennium. Suddenly, every product a
vendor had was offered as a solution to Y2K, whether it was a tire
tube repair kit, a roof tile, or a software application. Dire warnings
prompted the investment of millions of dollars to prevent “the end of
the world,” as Time has put it in the January 18, 1999 issue.1Well,
we are still here, aren’t we? So are the many cans of food that—just
in case—believers stored in their bunkers.
Almost two decades later the classic Y2K scenario seems to be re-
created. The root of the problem points to the fact that the GDPR is not
an easy read, so most do not read it. They might read about it, but do
not read the Regulation itself, rem aining unacquainted with what it
actually says. Many raise questions that a careful read of theIN THIS ISSUE
nGDPR – A Y2K-II for
Business?
nAccess to Pediatric
Neurologists: Will
Telemedicine Close the
Gap?
Editor
DAN SWANSON
Editor Emeritus
BELDEN MENKUS, CISA
CELEBRATING OVER 4 DECADES OF PUBLICATION!

Regulation would sufficiently answer. Others make authoritative
statements, not necessarily being right, but never in doubt.
Sadly, this behavior seems to be irrespective of the geographical
location or the professional background of the authors. Yet, it must be
pointed out that unfamiliarity cannot be replaced by ignorant self-
confidence. Unfamiliarity begets uncertainty, breeding fear that can
be elevated to hysteria. This hysteria is exploited then by the many
self-appointed “solution providers” who themselves did not read the
Regulation either. Do I overstate the case? I certainly hope so, but
have a feeling I do not.
It does not have to be that way. As I shall say in a few moments,
such exploitation can be prevented by reversing the process leading to
hysteria. The topic I would like to bring your attention to in this article
is how unfamiliarity with GDPR can be removed. I aim to show this in
two ways: by providing insights into the historical processes and the
legal context that led to the GDPR and by describing a sense making
method, understanding the conte nt of the Regulation by using mind
maps.
HISTORICAL BACKGROUND
General Data Protection Regulation is the more memorable name
for Regulation (EU) 2016/6792that comes into effect on May 25,
2018. It replaces Directive 95/46/EC3on the protection of perso-
nal data, extending it in both material and territorial scope. What
this means is that its impact goes beyond the boundaries of the
European Union, most likely having a worldwide effect.
The topic I would like to bring your attention to is that things do not
exist in isolation in this world. Getting a good grasp on the content of
GDPR requires the understanding of the origin and growth of the
regulation as well as the intellectua l, economic, political, and social
processes that brought it about. For a rationale of this statement see
On Education—Part 2 .4
As a background, one might want to look at the history of the
European Union A fitting starting point would be to go down memory
If you have information of interest to EDPACS , contact Dan Swanson (dswanson_2008@yahoo.ca). EDPACS (Print ISSN 0736-
6981/Online ISSN 1936-1009) is published monthly by Taylor & Francis Group, LLC., 530 Walnut Street, Suite 850,
Philadelphia, PA 19106. For information and subscription rates please email subscriptions@tandf.co.uk or visit www.tandfon
line.com/pricing/journal/ UEDP . This journal is available via a traditional institutional subscription (either print with online
access, or online only at a discount) or as part of our libraries, subject collections or archives. For more information on our
sales packages please visit www.tandfonline.com/page/librarians . All current institutional subscriptions include online access
for any number of concurrent users across a local area network to a selected backfile and articles posted online ahead of
publication. Subscriptions purchased at the personal rate may not include online access and are strictly for personal, non-
commercial use only. The reselling of personal subscriptions is prohibited. Personal subscriptions must be purchased with a
personal check or credit card. Proof of personal status may be requested. Printed in USA. Copyright 2016. EDPACS is a
registered trademark owned by Taylor & Francis Group, LLC. All rights reserved. No part of this newsletter may be reproduced
in any form — by microfilm, xerography, or otherwise — or incorporated into any information retrieval system without the
written permission of the copyright owner. Requests to publish material or to incorporate material into computerized data-
bases or any other electronic form, or for other than individual or internal distribution, should be addressed to Editorial
Services, 530 Walnut Street, Suite 850, Philadelphia, PA 19106. All rights, including translation into other languages,
reserved by the publisher in the U.S., Great Britain, Mexico, and all countries participating in the International Copyright
Convention and the Pan American Copyright Convention. Authorization to photocopy items for internal or personal use, or the
personal or internal use of specific clients may be granted by Taylor & Francis, provided that $20.00 per article photocopied is
paid directly to Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923 USA. The fee code for users of the
Transactional Reporting Service is ISSN 0736-6981/06/$20.00 + $0.00. The fee is subject to change without notice. For
organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.
Product or corporate names may be trademarks or registered trademarks, and are only used for identification and explana-
tion, without intent to infringe. POSTMASTER: Send address change to EDPACS , Taylor & Francis Group, LLC., 530 Walnut
Street, Suite 850, Philadelphia, PA 19106.EDPACS 2018
2 ăCopyright 2018 Taylor & Francis—All rights reserved.

lane to the European trade blocs after World War II. The two most
relevant are the European Economic Community (EEC, 1959), and its
counterpart, the Council for Mutual Economic Assistance (CMEA or
COMECON, 1949) of the Soviet Bloc. There are two interesting aspects
of the latter: the barter transaction system and the Council’s 596 legal
agreements on citizens’ rights ( ius civile ).
I also must not omit considering how individual citizens were
viewed and their privacy and personal data treated in the ex–
Soviet Bloc countries. Just as an example, in at least one particu-
lar country some of the National Identity Booklet entries were:
name,
date and place of birth,
occupation,
professional training,
professional qualification,
education,
army ID number,
personal ID number,
mother’s maiden name,
father’s name,
parents’ occupation,
employer’s name and address,
employment start date,
permanent address,
temporary address, and so on.
The ID Booklet had to be carried all the time and be presented to
any officials who asked for it. These officials then had the right to
copy any and all of these records for their own purposes.
This is rather difficult to comprehend though. I am not sure
whether those who did not live in that environment would be able to
understand it. However, it is not impossible. The point I am at pain to
make is that a large amount of data was collected and retained even
when it was not necessary. The prot ection of individuals with regard
to accessing and processing of such data was almost non-existent.
Having this background would h elp to understand the chal-
lenges faced at the enlargement of the European Union (EU). It
would be foolish to deny that this whole adventure was full of
certain problems that had to be overcome. In this connection,
i tm a yb ev a l u a b l ef o rt h er e a d e rt ok n o wt h a tt w or a t h e r
opposing mindsets—political, e conomic, cultural, and so on—
needed to be integrated. As the Poland and Hungary:
Assistance for Restructuring their Economies (PHARE)
Programme5(starting in 1989) is directly related to this, it
is worth reviewing before looking at the number of regulations
preceding GDPR.
Continuing from that, the next step would be to read Directive
95/46/EC, and then Directive 2002/58/EC6; at least the first 12
Recitals of each. These two Directives are direct precursors to
GDPR, so they are almost mandatory reading anyway. There are
other antecedent Directives and Regulations, such as Directive
2000/31/EC,7Regulation (EC) No 45/2001,8and Directive
2006/24/EC,9but these have less importance in my opinion
than the first two.2018 EDPACS
ăCopyright 2018 Taylor & Francis—All rights reserved. 3

LEGAL BACKGROUND
The two treaties setting the basis of EU law are the Treaty on
European Union10(TEU, 1992) or Maastricht Treaty, and the
Treaty on the Functioning of the European Union11(TFEU,
2007). Reading these Treaties and the above Regulations helps
to comprehend the structure and the drafting process of European
secondary law, which GDPR is. As such it has a binding legislative
force12and has standard presentation and formulations.13
Precision, clarity, and simplicity are fundamental requirements
to provide legal certainty. However, due to complexities in the
drafting process and legislative procedures, some of these
requirements can be sacrificed sometimes, to achieve consensus
between the representatives of member states. This may result in
a compromised wording that may affect the simplicity and quality
of the legislation.
It is worth pausing here for a minute to say something about the
EU legal system in general. Indeed, we may go this far, stating
that on a more generic level, EU law is inquisitive in nature,
rather than adversarial. A main feature of such a civil law system
is that codified statutes (the Corpus Juris Civilis) list core princi-
ples as the main application source of the law, as opposed to cases
serving as precedents, as in common law. The judge, acting as the
chief investigator establishes the facts of the case and makes
rulings—applies the provisions of the codified statutes—that are
not necessarily binding to other judges. Therefore, each ruling
might be slightly different.
The Articles in GDPR can be considered as the codified statutes
(operative part). The Recitals facilitate the understanding of the
meaning of the Articles, as the interpretive tools that supplement
the operative parts of the Regulation. They also enable the appli-
cation of the provisions of these codified statutes.
Another aspect of European law making—especially secondary
law—is that it is forward looking instead of backward looking.
Anticipated problems are addressed early on. Consider for exam-
ple Case C-131/12,14Google Inc. versus MC Gonza ´lez; its rationale
and its influence on the “right to be forgotten” concept that is dealt
with in Article 17 of GDPR. Paragraph 93 of the ruling is espe-
cially illuminating how practical applicability is foreseen and con-
sidered early on. Compare this ruling and Article 17 for example
with the creation and application of Public Law 107–204, 116
STAT. 74515(the Sarbanes-Oxley Act of 2002) following the cor-
porate and accounting scandals of Enron, WorldCom and others.
Directive 95/46/EC and Directive 2002/58/EC together with
the historical information described above provide a reasonably
accurate context for GDPR. I understand it requires a bit of read-
ing, but it is time and effort well spent. It follows from all this that
equipped with such context and background, GDPR would make a
lot more sense.
SENSE MAKING OF GDPR
Once the background and context of GDPR is better understood,
one can look at the structure16and content of it. The latter cannot
be accomplished satisfactorily without the first. Most abandonEDPACS 2018
4 ăCopyright 2018 Taylor & Francis—All rights reserved.

reading through GDPR though, because the linear layout is not
easy to comprehend.
As stated earlier, GDPR follows the typical structure16of EU
secondary law, as shown below. It starts with 173 Recitals, setting
the rationale for the 99 Articles (provisions) of the Regulation. As
it is written in the usual bureaucratic language, reading it is quite
a bit of a challenge. One needs to keep in mind the drafting process
as well; the fact is that the final text is the result of a long
negotiating process and it gets worded to satisfy each partici-
pant’s requirements.
There is a lot of detail in the provisions, so it is quite easy to get
confused or lost in the text. My aim here is not necessarily provid-
ing a much-needed clarity, but rather describing a possible way to
get a reasonable understanding of the Regulation. I am using a
purposely plain, non-technical language as much as I can to avoid
contributing to the prevalent confusion.
I started with creating a mind map to make sense and to have a
grasp on the Regulation. Listing the chapters of the Regulation
gave me a high level, general understanding of the content.
A second mind map was created with the added details of the
Sections in each chapter. A third mind map included the Articles
of each Section. Further details, like the numbered Paragraphs,
were added in the fourth mind map, and Points in the fifth. In the
two last mind maps the Recitals were mapped to the Articles, and
the Articles to the Recitals, completing the mind maps.
2018 EDPACS
ăCopyright 2018 Taylor & Francis—All rights reserved. 5

HARNESSING HOW THE MIND WORKS
T h er a t i o n a l ef o rt h i si st h a tm i n dm a p sa r eh e l p f u la sa i d st o
study, to organize and consoli date information. The main
advantage of using mind maps is in the process of creating
them, as it harnesses the plasticity of the brain and the nature
of the mind.
The mind does not work in a linear, top down fashion, but
works rather like a magnet, drawing information from all direc-
tions. This is considered as th e immediacy of perception. The
i n f o r m a t i o ni ss t o r e di ns h o r t – t erm memory that can be consid-
ered as the notepad of the mind. On the other hand, long-term
memory is the seat of understandi ng, the place of schema, where
the concepts are built and stored. We keep things in short-term
memory for about a minute, while long-term memory stores
information for life.
The immediacy of perception needs to be consolidated. In order
to retain those perceptions, short-term memory items need to be
transferred to long-term memory. In this process however, anato-
mical changes occur. Biochemical processes take place and new
proteins are synthesized. Therefore, long-term memory creation
—and consequently learning—takes time. Added to this is a bottle-
neck in the hippocampus of the brain, hindering swift transfer-
ring of our cognitive load.
A n o t h e ra s p e c ti st h et o p o g r a p hical arrangement of neurons
in our brain, creating nerve or brain maps for every function
or thought. As we think, we generate, visualize, structure, and
classify ideas, making our nerve or brain maps more detailed.
These maps can change their size, border, even location.
However, the competitive plasticity—which is an intrinsic
property of our brains—means that brain maps compete for
cortical real estate. If we do not consolidate and use a given
nerve or brain map, it can shrink and thought or memory will
be lost.
“Our writing tools are also working on our thoughts”(Nietzsche,
as cited in Kittler 1999, p. 200),17but perhaps more importantly
they assist with transferring and consolidating short-term mem-
ory to long-term memory. This is where creating mind maps is
useful. They can reduce the cognitive load, consequently speeding
up the transfer. Information recall will be more effective and
information review will also be more rapid.
TRANSLATING SENSE MAKING INTO ACTION ITEMS
Once the mind maps of the Regulation were developed, the real—
and fascinating—work began. I applied color coding to stimulate
visualization and to aid creative thinking. Red color was applied to
the parts that would attract penalty if breached. Further color
coding was used, highlighting parts that are most relevant in my
territorial scope. I also emphasized areas by different colors that I
—as an information security professional—needed to take care of,
or other areas that the general counsel should be aware of. Other
colors represented areas where work needed to be done. This
provided the necessary focus and clarity, and enabled me toEDPACS 2018
6 ăCopyright 2018 Taylor & Francis—All rights reserved.

have a good understanding of the structure, the intent, and the
regulatory regime in the process.
ACHIEVEMENTS THROUGH THE WORK
The mind mapping tool I used had the facility to export the mind
maps into different file formats, such as Adobe, Microsoft, and so
on. This feature enabled me to save my mind maps in MS Project
and to create a work breakdown structure (WBS) quite easily.
Presentations for senior management were consequently also
easy to create. So, the mind maps ended up as actionable item
repositories, not just as a visualization of the Regulation.
The above work was quite laborious but beneficial. I could see
how the sections of the Regulation fit together. I could see imme-
diately the areas I had to pay most attention to.
Having multiple mind maps enabled me to step back and take a
higher-level view if I felt that I was getting lost in the details.
Having the mapping of Articles to Recitals and vice versa aided
speed and—consequently—responsiveness. During a discussion
about data inventory or data processing register, I could identify
Article 30 amid the confusion of what is actually required very
quickly. Seeing immediately Recital 13 and 82 as the related
explanations, I was able to provide much needed clarity. The con-
versation then could move to discussing practical solutions, rele-
vant to the participants.
Using mind maps reduced the temptation to follow the linear
method of note taking. Ideas could flow freely and plans could be
formulated while the mind maps were created. As discussed ear-
lier, cognitive load was reduced both to store and to recall infor-
mation harnessing visual memory. I am aware of course that the
benefits might be different for each person. Yet, it is reasonable to
argue that it is a plausible idea.
FINAL WORDS
I hope this gives some perspective for those who are concerned
about GDPR. Given the facts we must conclude that the changes
and shift of focus from individual data subjects’ responsibility to
data collectors’ responsibility happened for a number of reasons.
These reasons can be identified in the historical and legal
background.
I have tried to show that the complexities of reading the
Regulation can be overcome. I can say no more than this, for
each person must decide how to enact these ideas. Have fun with
it instead of sweating over it. Do not wait until the Tyranny of
Urgent16dictates your actions.
I also hope that the method described here helps to de-mystify
the Regulation and to reduce fear, uncertainty, and the unneces-
sary hype surrounding it. Misguided authoritative statements
based on ignorance can then be reduced.
And remember: ignorance is not a virtue!2018 EDPACS
ăCopyright 2018 Taylor & Francis—All rights reserved. 7

Notes
1. Lacayo, R., The End Of The World As We Know It?, TIME
Magazine , Vol. 153 No. 2, viewed 05 February 2018, http://
content.time.com/time/magazine/0,9263,7601990118,00.
html
2. EUR-Lex, Regulation (EU) 2016/679 , viewed 05 February
2018, http://eur-lex.europa.e u/legal-content/EN/TXT/
PDF/?uri=CELEX:32016R0679&from=en
3. EUR-Lex, DIRECTIVE 95/46/EC , viewed 05 February 2018,
http://eur-lex.europa.eu/leg al-content/EN/TXT/PDF/?uri=
CELEX:31995L0046&from=en
4. Bihari, E., 2016, On Education – Part 2 , viewed 05 February
2018, https://www.linkedin.com/p ulse/education-part-2-
endre-bihari/
5. European Parliament, Briefing No 33, The PHARE Programme
and the enlargement of the European Union , viewed 05
February 2018, http://www.europarl.europa.eu/enlarge
ment/briefings/33a1_en.htm
6. EUR-Lex, DIRECTIVE 2002/58/EC , viewed 05 February 2018,
http://eur-lex.europa.eu/leg al-content/EN/TXT/PDF/?uri=
CELEX:32002L0058&from=EN
7. EUR-Lex, DIRECTIVE 2000/31/EC , viewed 05 February 2018,
http://eur-lex.europa.eu/leg al-content/EN/TXT/PDF/?uri=
CELEX:32000L0031&from=EN
8. EUR-Lex, Regulation (EC) No 45/2001 , viewed 05 February
2018, https://publications.eur opa.eu/en/publication-
detail/-/publication/0177e751-7cb7-404b-98d8-
79a564ddc629/language-en
9. EUR-Lex, DIRECTIVE 2006/24/EC , viewed 05 February 2018,
http://eur-lex.europa.eu/leg al-content/EN/TXT/PDF/?uri=
CELEX:32006L0024&from=EN
10. EUR-Lex, Treaty of Maastricht on European Union , viewed 05
February 2018, http://eur-lex.europa.eu/legal-content/EN/
TXT/HTML/?uri=LEGISSUM:xy0026&from=EN
11. EUR-Lex, The Treaty On The Functioning Of The European
Union , viewed 05 February 2018, http://eur-lex.europa.eu/
legal-content/EN/TXT/P DF/?uri=CELEX:12012E/
TXT&from=EN
12. European Union, Regulations, Directives and other acts ,
viewed 05 February 2018, https://europa.eu/european-
union/eu-law/legal-acts_en
13. European Union, Joint Practical Guide of the European
Parliament, the Council and the Commission for persons
involved in the drafting of European Union legislation , viewed
05 February 2018, http://eur-lex.europa.eu/content/tech
leg/EN-legislative-drafting-guide.pdf
14. Google Spain SL v Mario Costeja Gonza ´lez, (2014), Case C-
131/12, viewed 05 February 2018, http://eur-lex.europa.
eu/legal-content/EN/TXT/PDF/?uri=
CELEX:62012CJ0131&from=EN
15. Sarbanes-Oxley Act of 2002, Public Law 107-204 107th
Congress, viewed 05 February 2018, https://www.gpo.
gov/fdsys/pkg/STATUTE-116/pdf/STATUTE-116-Pg745.pdfEDPACS 2018
8 ăCopyright 2018 Taylor & Francis—All rights reserved.

16. European Union, Interinstitutional Style Guide , viewed 05
February 2018, http://publications.europa.eu/code/en/en-
120000.htm
17. Kittler, F., 1999 Gramophone, Film, Typewriter , trans. G.
Winthrop-Young and M. Wutz, Stanford University Press,
CA, USA
18. Bihari, E., 2016, Urgent or Important? , viewed 05 February
2018, https://www.linkedin.com/pulse/urgent-important-
endre-bihari/
Endre Bihari is an information security professional with over 25 years pro-
gressive experience across a broad range of functional areas and varied
industry segments, holding senior positions in large Australian corporates.
His scholarly interests include corporate governance – with strong focus on
board of directors and information security; philosophy of education and
language, focusing on the speech acts. He can be reached at perfres@big-
pond.net.au2018 EDPACS
ăCopyright 2018 Taylor & Francis—All rights reserved. 9