Climate Change Solved: GDPR mitigates climate change risk!

Climate Change Solved: GDPR mitigates climate change risk!
01/10/2019 No Comments CISO Blog, DPO Blog, Security Advisory Blog admin

Whether you believe climate change is a real thing or not there is no arguing 16-year-old Greta Thunberg is making headlines. Her efforts to raise awareness about this key issue of our time are pretty impressive. Whilst some people don’t think climate change is real, as a person who believes in evidence-based decision-making, I am going to pin my colours to the mast. I’m going with 97% of the world’s scientific community who think we are experiencing a period of climate change. I also support the premise that human activity is a major contributing factor. Climate change risk is real and we have the intelligence, ingenuity and technology to reverse our impacts. The trouble is, accepting a risk exists, and that something needs to be done, doesn’t necessarily mean people or organisations will mitigate the risk effectively. Instead of knee jerk reactions or grand symbolic gestures, often employed to show ‘something’ is being done, a more measured and nuanced approach is typically needed. Sometimes that means doing things that are counter-intuitive…and looking at risk mitigation from a completely different perspective. In this case, let’s consider the synergies between climate change and GDPR! Strap yourselves in for this one!

Climate change mental health issues

It may surprise some but there are real mental health issues associated with climate change risk. Psychologists are identifying more and more people suffering from what has been coined ‘Eco-Anxiety‘ Sufferers symptoms appear to be brought on by a ‘waking-up‘ to the reality of the rapidly-worsening environmental situation. The symptoms can include panic attacks, obsessive thinking, loss of appetite, and insomnia. The primary cause of the anxiety seems to be that the sufferer feels completely helpless. They know something needs to be done to tackle climate change but feel that their efforts are so inconsequential in the grand scheme of things that we are all ultimately doomed. There is hope though and with a little creativity and understanding of the facts behind climate change, there are things we can all do to mitigate climate change risk. What may be slightly more surprising to some is GDPR can be a catalyst in helping their employees directly support climate change risk mitigation efforts. But as I said, there first needs to be an understanding of the facts…

Looking into the world of GDPR, we have seen similar anxiety, albeit on a smaller scale. Organisations wondering how on earth they are going to tackle the GDPR question. Worse, that unscrupulous GDPR ‘Consultants’ have preyed on that anxiety. Companies have been found to be giving poor advice leading to more anxiety, confusion and knee-jerk reactions. Not at all delivering the genuine benefits to data subjects that GDPR ultimately intends.

The charity sector has, possibly as a result of such poor advice, blamed GDPR for a reduction in donations. Donations that could be funding environmental improvement projects. I disagree GDPR caused this reduction in donations and I am not alone. In a panel discussion at Big Questions Live last year, Ian MacQuillin, director of the fundraising think tank Rogare, put the donation reduction down to charities who had not implemented the requirements of the existing 1998 data protection act. Charities were struggling to put measures in place to honour data subjects rights that had existed for nearly two decades. Had they been compliant with existing data protection legislation affected charities would have realised that, in many cases, they already had lawful bases, other than consent. Charities instead went into overdrive trying to [unsucessfully] get opt-in consent. “This is something this sector does” MacQuillin said. “Rushes into things without being in full possession of the facts, then presents what it has done as the right thing to do.” More interestingly was that highlighted by another panellist at the same event. The fundraising challenge was really a lot less about GDPR consent but the approach charities were taking in relation to their fundraising activities.

“…if we’re focused on engagement rather than time and time again hitting people for donations, then there should be no reason why our supporters won’t transition over and continue supporting us.”

The key takeaway is getting engagement right, in both the climate change debate and protection of data subjects’ rights under GDPR will do more to reduce anxiety than rushing into action without fully understanding the facts…or impacts.

Going about things in the wrong way

“I think you will find it’s a little bit more complicated…”

I read an article a couple of days ago in which the author suggests she has permanently retired [her] car to do her bit to mitigate climate change risk. “Great” many may cheer. That gas guzzler will no longer be spewing out poisonous exhaust fumes into the atmosphere. The author then goes on to state:

“So instead of a car, our family now relies on bicycle, public transport, and a rental car when a few days of driving are required.”

Again, further cheers, the author is likely improving her family’s health and contributing to the wider economy by creating new demand in the transport and services sectors. Well actually maybe not…

The problem is; the largest environmental impact in a car is the creation of the car. It can often dwarf the carbon emissions created by actual use of the car. The carbon footprint of car use can be further exacerbated by those who regularly change their car for a newer ‘greener’ model. For those who are interested, the most efficacious way to reduce environmental impact is to use the car you have as little as possible but keep the car for as long as it is reliable. Retiring the car and using a rental car now means a rental car needs to be manufactured in addition to the retired car. Couple this with the fact that most people tend to need cars at the same time we then have a situation where rental car companies need to hold more cars in stock! It’s also worth noting some rental car manufacturers rotate their cars after only 4 months! It is impossible to remove (one can offset, more on that later…) the carbon already embedded into the manufacture of one’s current car by using a now increased fleet of rental cars. By adopting the measures promoted in her article, the author is encouraging a practice that would significantly contribute to accelerating climate change and the more people that follow, well, the problem just gets even bigger! What would have been more sound advice would be to say something like:

“I’m going limit the use of my current car but keep it for as long as possible”

Unfortunately, the above statement does not have the same ‘dramatic’ or ‘symbolic’ appeal than getting rid of a car completely – even if it’s going to do a heck of a lot more to reduce climate change impact! Sure, symbolism is good to raise awareness, but what is dangerous is influencing others to do things that could make the whole problem worse. People want to do something. Influencers must, therefore, be careful.

Is youth wasted on the young?

To circle back to Greta Thunberg, she is part of the generation that feels most anxious and disenfranchised about climate change – the young. The ironic thing is her generation may be the generation that has had the greatest impact on climate change – and not necessarily for the positive. In the last 20 years, the carbon footprint of a person has increased significantly. If you compare the carbon footprint of a teenager of Greta’s age in 1999 to the same teenager in 2019, the data is compelling. Young people today make a greater contribution to climate change than those of the same age 20 years ago. Add up the carbon footprint of the devices owned by the average teenager in the UK and it’s significant. Consider mobile phones, tablets, games consoles, laptops, many replaced every 2-3 years. The teenager of 1999 didn’t have access to many of these devices, possibly time-limited access to a family computer and a walkman. Now it is common to see rows of toddlers plugged into an ‘electronic’ babysitter at coffee houses up and down the land.

“Should parents enfranchise their children into the climate conversation by restricting the amount of devices they purchase on their children’s behalf?”

It’s an interesting question. Children are blaming their parents for the mess they see ourselves in. How much education is being provided about the impact of their own consumerism? Of course, it’s not just young people who have increased their carbon footprint compared to their historic forebears, we all have played a part in terms of society’s current ‘throwaway’ consumer habits. We upgrade our phones when mobile phone operators offer us a ‘free’ upgrade leaving perfectly working phones to pile up in drawers. We take more frequent holidays because of budget airlines and cheap package deals. We buy a lot more than we really need and we waste so much!

The same can be said for the way we use data and the GDPR issues this causes. When computing power was expensive, coders would be extremely efficient in the way they wrote their code. Hard drives were at one point only capable of holding a tiny fraction of the data they can hold today and so data structures were more concise. Now we can hold mountains of data in our pockets and have access to more data than we could ever realistically consume through the advent of the Internet. As such, organisations are less concerned when capacity is reached as it’s pretty cheap to just buy more storage.

“It’s pretty cheap to just buy more storage.”

Even at home, we keep multiple copies of our documents, both on our devices and then up in the ‘Cloud’. The data in the cloud is duplicated again multiple times. Ultimately this duplication of storage requires even more physical storage. That means more mining of rare metals to produce more drives. More factories to build those drives and more vehicles to transport those drives to data centres across the world. Those data centres need to be bigger to keep up with demand and those data centres need more power to run and power to keep things cool. Sure a lot of data centres may use renewable power but the materials to make more solar panels and wind turbines need to be mined…manufactured…transported…you get the picture!

Ok, so how does GDPR help mitigate climate change risk?

Ok, hands up, GDPR is not going to totally mitigate the effects of climate change but it will help. Putting up a privacy notice on your website is obviously not going to offset the carbon [ahem] pawprint of a family pet. But, by applying some GDPR principles in a positive way, and tying GDPR objectives to your organisation’s Corporate Social Responsibility (CSR) programme, organisations could collectively make a significant dent in reducing the environmental impact of climate change. Better still, employees could be directly empowered to reduce their carbon footprints in a way that works well for everyone! Here are a few simple ways…

Have a Climate Change Clearout

One of the principles of GDPR is that personal data is only kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Article 5(1).e if you’re interested. In layman terms this means:

“When personal data is no longer, dispose of it securely”

Whilst the GDPR only applies to Personal Data, the GDPR principle of data minimisation can just as equally apply to all data and physical records held by an organisation.

“Data minimisation doesn’t have to be limited to personal data…”

Have a look at the Internet on Every Second, paying attention in particular to the metric concerning data created. Let the site run for 3 minutes and then extrapolate the figure to the amount of hard drive space that will be needed to store all that data…and the costs.

GDPR data minimisation

Imagine therefore what has already been created and is sitting on your organisation’s storage or even worse in the cloud. Imagine for those more commercially focussed how much could be saved in storage costs by getting rid of not just unlawfully held personal data but all data that is no longer required? Imagine how much individuals could reduce by deleting decades of old personal emails or other random files accumulated over the years. With the right motivation employees in organisations could all do their part to reduce their organisation’s carbon footprint simply by having a climate change clearout, such an exercise could even be turned into a competition across departments. In doing so, not only do you maintain your current storage capacity for longer, but also significantly slow down the demand for new storage capacity.

Like anyone who has had a clear out, it’s not long before you find you have accumulated additional junk to fill the newly realised space. It’s therefore important to instil some cultural changes to continue to reduce the amount of unnecessary data built up in the first place. Use of a document management system is a good way to go, especially when properly configured to support such things as de-duplication, data retention, the right to be forgotten and e-discovery. But simply linking to your current files in their place of rest, rather than including them in email attachments can make a real difference with little-to-no investment other than that of creating awareness! Plus, if an accidental recipient can’t access a file sent in error through an email link you have created what is known as security by design and default. Win-Win!

Go ‘Hybrid’ with a combination of BYOD and VDI

Another GDPR principle is that personal data must be processed in a manner that ensures appropriate security of the personal data. Article 5(1).f if you’re interested. This GDPR principle can also be a driver for reducing the environmental impact of technology. As was mentioned earlier in the article, we all have more gadgets than our forebears. Whilst it was customary to have some shared use of a family computer 20 years ago, a lot of households (in the 1st world at least) now have a laptop or tablet per person. By moving to a Virtual Desktop Infrastructure (VDI) which is accessed from employees own devices (BYOD), employer and employee work together to reduce the amount of embedded carbon associated with having a situation whereby the employee has two laptops (one work and one personal). VDI implemented securely significantly reduces the risk of data leakage and unlawful processing so again, a data leakage risk reduction AND a reduced overall carbon footprint per employee. Win-Win! [Win-Win!].

There is a caveat to this. As with cars, it’s important for organisations not to throw out all their laptops or just wholesale replace old hardware with shiny new thin clients. It’s also important for employees to have access to the technology they need should they not have an appropriate personal device. Implementing a VDI strategy that refurbishes laptops/desktops into thin clients could also be an approach for organisations to adopt. Let’s face it, in most cases, the main thing that fails on a laptop or desktop is the hard drive (and we’ve just saved ourselves a load of those in the last recommendation!). Running as a thin client would mean most laptops could have a significantly longer life. Through such an approach we can still make a significant dent in reducing our environmental impact.

Invest technology savings in carbon offsetting projects

So you have reduced all that storage cost, you have refurbished those old laptops and have empowered your employees to make a direct contribution to reducing their environmental impact. Organisation’s don’t have to stop there. When an employee chooses BYOD the cost of a corporate laptop or mobile phone could be reallocated to a fund which invests in carbon offsetting projects. The same could be done with reduced storage costs. For every gigabyte of storage deleted, an amount could be invested in the same fund. Carbon offsetting is the process of buying carbon credits to the value of carbon used by an organisation. This money is then used to invest in projects that improve the environment, help reduce or [hopefully] reverse the impact of climate change risk. Reducing GDPR risk could realistically fund the planting of more trees. That surely confirms GDPR mitigates climate change risk…in part at least!

Get an Outsourced DPO from Fox Red Risk

This final one is a little tongue-in-cheek. Just like climate change, the solutions to GDPR are nuanced. Instead of allowing a charlatan to push extra CO2 into the atmosphere by spouting off really bad GDPR advice, get yourself some expertise that will help you implement GDPR properly!

But seriously, investing the savings, realised through reducing storage costs and adopting VDI, into carbon offsetting projects, organisations could double their contribution to reducing the impact of climate change…

…and at the same time as reducing climate change risk, also reduce their GDPR risk. What are you waiting for…

About the Author

Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy. Stephen has worked in the information security risk, business continuity and data protection world for nearly 20 years. Stephen has delivered complex security programmes across defence, real estate and financial services. Stephen has also authored the popular book “The Ultimate GDPR Practitioner Guide” which is available on Amazon in both paperback and Kindle eBook.

About Fox Red Risk

Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.

accountability article 25 article 28 article 35 awareness bcms BeCyberSafe breach british airways ciso contracts controller cybersecurity data breach data privacy Data Protection dataprotection data protection officer data protection service DPIA DPO encryption GDPR iag informationsecurity information security leadership management penetration testing Pentest Privacy processor resilience risk risk appetite risk management riskmanagement security security as a service small business strategic transparency vciso virtual ciso vulnerability scanning

About The Author

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.