Welcome to the third of our monthly reports on the General Data Protection Regulation (GDPR) which is set to become enforceable on May 25th. You can find our first report published in December (from November), and our second published in January (from December). You can also find our blog on some of the best articles on GDPR.
Summary
- Our graph of retweets shows new groups of national and non-national flocks emerging
- We can see more of Europe taking part in the GDPR discussion
- The scammers are getting smarter
- Trending terms remain focused on getting companies compliant
- Top tables have undergone major shifts
- The most interesting accounts include information commissioners and privacy advocates
Our graph of retweets shows new groups of national and non-national flocks emerging
As can be clearly seen in our graph of retweets, national clusters remain central to driving the conversation (even if there is definitely an overlap between them.)
- In green, we see the French flocks, with the CNIL at their heart. As well as its main account which appears in the centre of the clusters, we also see LINC (CNIL’s data lab) and its smaller Anglophone account CNIL_en. Other accounts of note are politicians like Mounir Mahjoubi (Secretary of State in charge of digital affairs) and Paula Forteza (MP for French citizens living in Latin America and co-founder of Jailbreak.paris, a task-force on ‘open movements’ such as open data and open government).
- We also see Guillaume Champeau, ethics and public relations officer at privacy driven search engine Qwant.com, and Cronycle’s own Nicolas Granatino.
The next collection of flocks most obviously contains EU bodies like the EDPS and European Commission, as well as individuals like Margaritis Schinas, the EU Commission’s chief spokesperson, and EU Justice commissioner Vera Jourova. We can also see a number of familiar accounts which deal with data protection and privacy from outside of the EU institutions. Lawyer and privacy advocate Max Schrems makes an appearance here, almost certainly related to his work fighting Facebook’s opaque and unfair data protection.This increased prominence January report seems to stem from the highly anticipated judgment handed down in the European Court of Justice (ECJ) on 24 January.: in the ECJ ruled that whilst Schrems couldn’t bring a suit on behalf of 25,000 users he could pursue individual claim. January 31, 2018 was also the end of his organisation’s NOYB (my privacy is None Of Your business) Kickstarter campaign which succeeded in raising €300,000. We can also see UK based accounts like cyber-security speaker David Clarke and data protection consultant Pat Walshe (Privacy Matters), Belgian security freelancer Xavier Mertens, and even Ann Cavoukian, the Canadian academic responsible for drafting the idea of privacy by design in 2009.
Just beneath the EU/Data privacy cluster of flocks, we find those centered on the British Information Commissioner’s Office. Flocks which spiral off of this include government bodies such as National Cyber Security Centre and the Department for Digital, Culture, Media and Sport, fintech consultant Neira Jones, Telegraph editor Gary Payne, and even Irish singer Sinead O’Connor. It’s noteworthy that no specific government figures appear in these flocks (unlike in France), suggesting that there’s still a sense that data protection remains a specialist field – or perhaps a continuing and understandable fixation on Brexit amongst UK politicians. or maybe the overwhelming focus that Brexit currently extols on British politicians.
One national cluster which didn’t appear in previous analyses is based around Spain. The biggest account of note is IDGTV, a Spanish publisher of technology news. Compared to the above national clusters, Spain seems to have fewer indigenous flocks presently (as seen in the location analysis below). These include journalist Arancha Asenjo, Sage Spain, the national branch of tech firm Sage, and Alejandro Delgado, director of operations at risk management company Audisec.
Moreover, as can be seen by the green lines appearing on the left of the flock cluster, the Spanish flocks appear in this Insight is closely linked to the French ones. Those who appear to connect them include Suzanne Vergnolle, a PhD candidate studying privacy and data protection at Université Panthéon-Assas – Paris II, and Eric Bothorel, a French MP from Macron’s Republique en Marche based in Britanny
Moving away from the national model of flock groupings, we can also see how they form around shared topics. In this case we see a collection of tech firms (with an understandable interest in data protection and the potential fines for failing to deal with it properly). These include American Forrester (which made it big in our previous report), Gibraltar-based blockchain platform YourBlock, Kiwi internet property investor Mepham, as well as Cronycle itself. It’s a reminder that flocks are highly ephemeral and dynamic things, and you can expect that come next month’s report some may have shifted.
There are also even more disparate flocks which appear from examining retweets. GDPR is the glue which ties together voices as wide-ranging as Subrahmaniam Krishnan Harihara (research and analytics manager at the Greater Manchester Chamber of Commerce), GDPR Summit Series (a company running a series of training seminars for companies looking to stay compliant), Paul Stringfellow, director of IT consultancy in Liverpool, and Salford University’s Professional Development programme.
Whilst we can expect to see national boundaries continuing to set much of the parameters for discussion – simply by virtue of the fact that national information commissioners will have important and unique roles to play depending on the specific legislation enacted – these new non-national flock clusters suggest a recognition of universality to the GDPR, particularly amongst businesses and some branches of government.
We can see more of Europe taking part in the GDPR discussion
Whilst the conversation is largely carried out between London, Paris, and Brussels (three cities home to proactive national data commissioners), we’re also seen an increased amount from across the EU (that’s partially down to us increasing the sourcing for more languages, such as Spanish and Italian). What this gives us is a more granular recognition of how GDPR is being discussed across the Continent, and creating a transnational discussion. Flocks linked to Spain, for example, include the EU Commission , Marseille-based digital marketers, and Arancha Asenjo, a tech journalist from Madrid.
Top flocks for Madrid
We can compare that to the more numerous London flocks, which again shows a mixture of accounts from across Europe.
Top flocks for London
A British account unsurprisingly top the list, given the proactive work down by the Information Commissioner’s Office, but we also find Carlos Fernandez, an editor at Wolters Kluwer Legal, the Irish Data Protection Commissioner, leading Austrian privacy advocate Max Schrems, and both the EU Commission and the European Data Protection Supervisor, which have appeared in previous reports, are in the top 10.
This apparent pan-European cross-pollination comes in contrast to our December Insight, in which we saw a surprisingly strong showing by American companies compared to Europe (see the image below):
That American surge was mainly lead by McAfee, a tech company with a large number of followers rather than a particular focus on GDPR. Post-Christmas break, that seems to have faded a little (although New York and California remain in the top location chart). Their blog Securing Tomorrow continues to be active on the topic, like their blog post on February 2nd, 2018 titled ‘The GDPR Basics: What Consumers Need to Know’
The scammers are getting smarter
Whilst data protection is the focus of the GDPR, the top tweet across the fields (from French information commissioner CNIL) is about companies safeguarding themselves from potential scams.
The hashtag is #StopArnaque (roughly ‘stop scams’), and the message is to be very wary of phone calls from individuals claiming to run checks on whether businesses are conforming to GDPR standards. Firms globally are spending large budget on compliance: for example, American research and advisory firm Gartner reported average expenditure of €1.3 million with some firms spending up to €10 million to become GDPR compliant, The rest of the tweets in CNIL’s chain warn that it’s likely that these are scammers, and that rather than responding, users should contact CNIL for more information. It’s a very similar message to CNIL highest ranked tweet in November (which was about alarmist messages about GDPR being used as phishing tools against businesses). What this suggests is that we’re seeing a greater sophistication of scammers as the GDPR implementation date nears and that the boom in compliance consultants (some who make it into our report) means there are new opportunities for scammers to bend the laws to their own advantage.
Trending terms remain focused on getting companies compliant
As we noted in our first report, the trending terms in November had a heavy focus on hacking stories like Uber, and on the urgency of becoming compliant with GDPR. This rather seems to downplay the potential benefits of the GDPR, both in terms of customers’ rights to privacy and controlling the value of their own data, and in terms of businesses engaging in ethical innovation. We still largely see that focus in the trending terms list for January: further evidence that as Gartner reports, 50% of companies will not be compliant come may despite the announcement of GDPR in May 2016.
General data protection terms like ‘compliance’, ‘guidance’, and ‘consent’ all make appearances here, as do those related to actual training (like ‘guide’, ‘ready’, ‘marketing’, ‘webinar’, and ‘workshop’). From these, it might be fair to guess that even though there are only around a hundred days until GDPR kicks in, the market for compliance training is booming. It’s noteworthy that the only companies to make it into the one-term trending list are Facebook and Google, both examples of Big Tech companies which business model relies on harvesting large amounts of data and which have faced scrutiny at the hands of the EU. They are only increasingly likely to face reporting to information commissioners given the extent of data processing which their business model requires.
Facebook’s COO Sheryl Sandberg said on January 23rd that the company would hand over privacy controls to users ahead of the EU law’s implementation.
Our two-term list is interesting in part because it turns up so many non-English hits, which looks like evidence that it’s all too easy to overlook the discussion if you don’t calibrate for linguistic differences. Nevertheless, the terms there are largely similar to those in the first column, discussing ‘protection’, or the date of the GDPR coming into effect.
There are a few interesting two-word terms, however. We find names there like Ulf Ewaldsson, advisor to the CEO at Ericsson, and Elizabeth Denham, the UK Information Commissioner, as well as more nuanced terms related to the corporate world such as ‘business structure’ and ‘training platform’. Nevertheless, it is important to bear in mind that the conversation remains about making sure that companies are compliant, suggesting that even reaching this stage is a struggle – and that we can expect many companies will not be ready come May.
Little change in hashtags
As might be expected, the hashtags around GDPR have remained fairly stable over time – as we can see, the most common remains simply #gdpr, with more general terms like #dataprotection, #privacy, and #cybersecurity following. We can also see that #rgpd (the French version of GDPR) is significantly less common, and that no other language seems to appear in the chart. Perhaps the only new hashtag of note is #cpdp2018, referring to an annual multistakeholder conference held in Brussels to discuss matters like privacy and data protection. Given that it is roughly a year away now, it seems that the conference managed to make it onto our list by dint of a strong push for participants to register.
Top tables have undergone major shifts
Whilst at a macro-level we might expect the leading accounts to stay the same, Cronycle’s algorithm allows us to see how flocks are highly volatile and prone to changes. Thus, whilst the ICO has been consistently in the top spot since November, the CNIL has gone from second in November to twelfth in December, back to second for January; meanwhile, the European Commission didn’t even make the top 25 in the past two reports.
In fact, of the top 25, the majority are entirely new to this list. These include governmental/supra-governmental bodies like EU Justice, the European Data Protection Supervisor, the Spanish Data Protection Authority (AEPD), and the Department of Education; others are journalists like Warwick Ashford and Natasha Lomas at TechCrunch; we even see big companies making a new arrival into our analysis in the form of Oracle.
Of those who remain from previous reports, we see both Max Schrems and his project Noyb, which stands for [my privacy is] None Of Your Business (an NGO designed to help consumers fight for privacy rights in the face of gross power asymmetry) have only slipped a place or two – the relentless drive for better data protection and privacy seems to understandably still have a strong draw for Twitter users.
The same amount of dynamism is found in our list of top connectors, accounts which help connect other users – and are thus essential to keeping conversations going and reaching audiences. Of the top 25, just ten have appeared in one previous report, and only four have appeared in both. Those four, perhaps unsurprisingly, are the top four connectors in our account, although some of them have seen a fair bit of movement. Both Privacy Matters and David Clarke appeared relatively low down in our November report (13th and 11th respectively), before rising to 2nd and 1st in December, and have now switched to 1st and 3rd. GDPR Summit Series, on the other hand, has made the jump from 11th in December to 4th here.
Amongst the accounts which have only appeared in one previous report, we find CNIL – which appeared in 7th in November but vanished in December. Its active communication and setting up an English language Twitter account, have increased its connective influence in the conversation. Yet again, this suggests that we are seeing a surge of European accounts compared to the rather quiet Christmas holiday period across Europe, relative to the US. We also find that CNIL’s far smaller English account has now appeared in 8th position: in spite of having just 1,490 followers, its relation to its parent account has clearly made it indispensable to the GDPR conversation. Another European account which has made an appearance for the first time is the European Commission in 23rd. We also see that NOYB appears in fifth place, having previously failed to make it into the top 25 – another example of how central privacy (i.e. customer’s rights) has become to a conversation which could easily have focused more on data protection (i.e. companies’ duties).
Looking at smaller accounts who didn’t appear in previous lists, we can see examples like tech writer Gabe Doran, French legal counselor Benjamin Benifei, and ‘reformed security pro’ Des Ward, as well as Aurelie Pols, a professor at the IE Business School, Dubai.
(We’d also be remiss not to point out that Cronycle also edges into the top 25 for connectors!)
The most interesting accounts include information commissioners and privacy advocates
The most interesting accounts represent those whose importance to the conversation is greater than their size might suggest. What that means is that we can find accounts which we would expect to have a relatively limited impact but, due to their expertise in a specific subject like GDPR, are surprisingly important.
Perhaps the most obvious factors amongst the top 25 most interesting accounts are the preponderance of information commissioners – six, plus CNIL’s affiliate LINC. It suggests that whilst they lack massive follower counts, they really are leading the conversation. Other accounts which appear here include Max Schrems and NOYB, blockchain company Your Block, Cheshire-based IT company Axon, and the Department of Education.
Conclusion
The increasing role of information commissioners in these reports is a heartening sign that governments across Europe are more fully waking up to the enormous change which GDPR will affect, for big businesses (such as those which can afford to pay the massive fines for data breaches) and for small ones (which likely cannot). Equally positive is the central role played by privacy advocates (in particular Max Schrems) in the discussion, ensuring that the vision of GDPR has strong safeguards for privacy built in. Regrettably aside from France and to a lesser extent the European Union, we are seeing very little involvement from politicians or public figures in the conversation – in spite of Goldman Sachs labeling GDPR as the “the biggest shake-up to privacy law in 20 years” last November.
Never miss a story about GDPR by following our feed
If you are interested in using our data under an Attribution CC-By license to write a report, please contact us.
