Forest and trees in #GDPR in Italy: a #cultural #perspective

First and foremost- thanks for an invitation that allowed me to hear a little about the issues that could affect the application of GDPR in Italy (

Frankly, nothing unexpected, as I saw the same move in the early 2000s with Data Privacy, and in the 1990s with ISO9000.

Now, we Italians are obsessed with “deadlines”- not that then we act accordingly, as there is traditionally always an extension (and when an extension isn’t possible, we are creative with the delivery, getting or granting a de facto extension).

I know that many Italians say that I am arrogant, but, frankly, I am not the only Italian who lived and worked in “ordinary countries” who gets annoyed by the continuous superficiality that seems endemic in my birthplace.

But you know- ignorance is self-reassuring, moreover when those that choose to ignore set the rules.

Piling up laws and national debt seems to be ordinary- and usually most cuts of both result in additional overload.

The funnier part is, of course, what I remember worried my foreign colleagues about Y2K (the “Millennium Bug”- that wasn’t a bug at all: simply, dates weren’t managed with four digits).

Or: we Italians are so used to have last minute changes, that we do everything at the last minute.

Better: one minute past midnight.

And the State bureaucracy is usually the worst offender, also because it is used to… retroactive laws to enforce what would have been needed but was forgotten.

Today was quite interesting, as it was the first time in a while that I was in Italy in a room with people working on a compliance issue that were all discussing different bits of the same theme.

I will not delve into details- if you are interested and are in Italy, there are going to be further sessions in March and April, so you can register.

The key elements that I retained over the last few months on GDPR (say, since November, when I visited the Cloud Europe conference in Frankfurt, and saw a “more ordinary” behaviour and series of discussions)?

Well, that many in Italy keep looking back as if the future were to be an encore of what, eventually, worked before- and mistake the “deadline” for GDPR for the one with the old Data Privacy.

Few people I met across the last semester seem to accept that GDPR entails organizational structure changes, not a one-off event.

The end of May 2018 will be the end, but the end of the beginning, to paraphrase an old sci-fi movie that I quoted long ago.

Today at last I heard few who anyway said as it is- GDPR is actually a backbone “cultural structure” that is needed to ensure the smooth enactment of a digital economy that covers all the EU.

And, incidentally, requires to set up (but that has become a common trait in various regulations) a specific role assigned to a specific person.

Yes, you can outsource it, but, in the name of accountability, you have anyway to have somebody, not something.

Trouble is: way too many focus on the individual trees (this or that bit of technology or process), and do not see the whole picture.

As technology will evolve, “the forest” is the overall concept that you have to build trust and a shared framework on data protection, and extend it to anything that will come across, without any need for new laws.

Just to stay closer home: consider a future where everybody is using mobile payments, or even most exchanges are linked as in Bitcoin, to keep track of who “added value” to a chain of exchanges.

How will you ensure that all the links are compliant? How will you ensure that no malevolent application on your future smartphone will just keep tab of all the patterns that you follow, and provide that information as a service to third parties.

Say, by telling how your purchase is linked to messages you received and information you checked, so that a system can understand who you trust implicitly.

Personally, I think that if we were to use more often the brain, there would be no need even for a watchdog to pronounce a statement whenever a new technology will come through.

Because the principles are set, and anything new concerning “data” “personal data” “sensitive data” would just have to follow suit.

Frankly, I accepted the invitation only because I saw that there would be two key elements that I saw were missing in other conferences on the theme: the legal side, and the “consolidated reporting across multiple systems” side.

If you do not know what I mean, let’s just see an example.

Let’s say that you keep a paper phonebook with names and numbers.

Then, add to that that you have a mobile phone- that one too, contains the same information (at least nicknames and numbers).

Then, you have some scrap of paper with part of that information.

Then, you shared part of that information with somebody else, e.g. to suggest to a friend to call your hairdresser when the shop is closed.

And so on, and so forth.

Or: even as a mere individual, if you were hypothetically asked to comply with the other key element, i.e. access to data within a certain timeframe, you would be unable to comply.

Now, imagine a company.

Do you buy something from a shop that has also a “loyalty card”? They have to keep the information about what you bought when somewhere.

And maybe they have another system to keep track of the events that you attended.

Being a small shop, they might use a third party that stores the data, so that they do not have to bother with PCs configuration, etc.

So, there are three elements that frankly I see more critical than the fines that could be levelled against companies if they are sloppy (not just if they did everything that would be reasonable, but eventually somebody hacked their systems).

First element: having to appoint somebody that knows what (s)he is supposed to do.
Second element: knowing exactly where all the data are, how they evolve, who can access to them, being able to recover the data if and when needed
Third element: being able to answer to questions fully and with all the required details within the mandatory timeframe.

Then, obviously all the software suppliers and consultancies will convince companies that what they offer is exactly what they need.

Back to personal/professional experience.

More than a decade ago, I was senior functional analyst and support (ok, kept also the plan, quality documentation, etc.) to the project manager, for a project whose aim was to have that kind of comprehensive, “systemic” view on customers’ data across various business units of an organization.

The longest work? What was done before we were asked to build the new “customer referential” database, i.e. look into every (digital) nook and cranny, to list what was available where, to what end, etc.

I do not know how many Italian companies have already that kind of information available.

As I wrote above, if ask questions like that, usually you (I and others) are called names, the kindest one being “supponente”/”sprezzante” (roughly “haughty”).

Why? Because in Italy traditionally you do not ask questions unless you already know the answer- that’s one of the reasons why the country piled up its national debt- if you question an “investment”, then when an investment that would benefit your own “tribe” could be questioned later.

In italian is said “una mano lava l’altra” (each hand washes the other).

Well, for statements like that one in Brussels and Rome I was called by Italians “a traitor”, or “a mercenary”- as anybody who dares to criticize is certainly doing that on behalf of somebody else, and while back then somebody hinted that my “masters” were first in UK or USA, then in… Russia, now that I invested some time and money to move forward my German… of course the “traitor” side is hinting often that I am trying to “sell” to Germany.

Eventually, May 25th will arrive.

I think that more than a few Italians do actually really care about Italy, and not necessarily those who claim to be “patriotic” (we are equal opportunity corrupt, left and right).

There are still those who, no matter if they see themselves as part of the elite or mere servant to it, just try to play social/tribe games (e.g. gossiping on those who they assume that are you allies, so that then they can report that you joined the gossip party), as this the quickest and easiest way to obtain “credits”- credits that they can use whenever they want to sell products, services, or need some authorization.

The alternative? Working and following due process- but that, in a country with more that 100,000 laws and regulations, could imply having to wait..

And if there is something that still see as deeply outside the Italian culture, is standing in line like anybody else.

It is improving, if I compare with few decades ago, before I started working abroad, but we still do have a long way to go.

“We”, myself included.

As an American friend and colleague once told me: Italians abroad inserted within an Anglo-American environment were quick learners and able to adapt; moreover, when the rules did not work, were able to lead the way creatively until “normal times” returned.

But when they were inserted back into the Italian environment… there was a regression to the usual “do not stir the (relationship) soup” approach.

And, frankly, long ago my friends joked that I too seemed to sometimes do a queue by myself at the bus stop, also when nobody else was in front of me (London habit), but while I still do not skip lines, nowadays when there is a long line… I go elsewhere 😀

Why this digression and tired about Italian habits? Because they have a strong impact on that is needed to manage the creation of a digital economy, and GDPR is just the tip of the iceberg.

We still need to work a lot about having the patience and resilience to recover from failure and try again, maybe in a slightly different way after learning a lesson or two, but try again, not drop off the race, and do something different.

We were a country of builders of cathedrals- we have to rebuild that culture, if we want, not just for GDPR, to obtain from the digital economy the benefits that our national cultural flexibility naturally endows us (including those from foreign origins but grown up in Italy and within the Italian milieu).

You cannot live just by quick wins…

Leave a Reply