Serial entrepreneur and technology innovation expert Danny Mekić has outspoken views about data protection and privacy. ‘Privacy and security are not each other’s enemies. They go together hand in hand. And without privacy there is no security anyway.’
Danny Mekić was 12 years old when he started working as a volunteer for the newly launched Startpagina.nl and internet provider Het Net. It was there that he learned to code and to think in conceptual terms. When he was 15 he launched his first software company. A hosting provider, an anonymous Valentine’s Day text message service, and a chocolate delivery firm followed soon afterwards. Two years later, he dropped out of the pre-university stream at his high school because he had no time for it. ‘I’m not about making concessions,’ he says. Today, Danny and his team provide advice to 40 of the 100 biggest organisations in the Netherlands, as well as a stream of foreign clients. He has been following developments in the field of privacy and technology protection for 15 years.
How do you define privacy?
‘That is a tricky question. Actually I think that’s not a great word in itself. Privacy is not something you can see. It is intangible. You only know what it is when you have lost it, and then it is too late. I prefer the term ‘freedom’, the freedom to be yourself without interference. Ultimate freedom is being able to be different to others without being afraid of the consequences, while remaining within the letter of the law and without being monitored. That is privacy.’
Why is it so important to protect privacy?
‘If you don’t protect privacy, it will slowly disappear without you noticing. It’s like living in a big apartment and losing a square metre of floor space every year. After World War II you never had to explain why privacy is so important. It was completely logical that the government was kept at a suitable distance. But in this new millennium, the balance has swung the other way. The freedom of citizens all over the world is slowly being eroded by governments, and companies. It’s an extremely refined process. Politicians give security services the mandate to gather ever-increasing amounts of information out of fear. It’s like to trying to find a needle in a haystack when the whole haystack is made up of needles. Intelligence services, particularly abroad, are monitoring more and more people. Politicians think it is useful, but there is barely any evidence that this is necessary to manage terrorism. Indeed, a lot of the more recent perpetrators of terrorism were already known to foreign intelligence services. They are using all these powers at their disposal, but they still can’t stop them. So do the security services need more data or more personnel and partnerships?’
If security services can prevent attacks, what is the problem if people have to give up some of their privacy? After all, you are saving human lives.
‘People who know or are afraid they are being watched start acting differently and don’t dare to express alternative views. It’s known as the chilling effect. Sometimes the loss of privacy can have catastrophic effects. Take the dating site Ashley Madison – the site was hacked at the end of 2015 and private information about six million users was there for the taking. Two victims committed suicide because their indiscretions became public knowledge. What would happen if the billions of messages sent, unencrypted, via Facebook were made public? It would create a nuclear privacy bomb, and cause a huge number of relationship crises and legal conflicts. Privacy touches everything and everyone.’
How should an international company deal with GDPR?
‘If you operate outside the EU, then first of all it is a bit more complex.. You have to deal with GDPR alongside local rules and regulations that may not be compatible. In terms of the basics, it is not extremely complicated, just a lot of work. GDPR requires you to describe all the data streams you have to deal with in all the countries where you are active.’
What should you watch out for?
‘Whose personal data are you processing and why, who receives it, how long can it be kept and how and where should it be stored and made secure? Above all, you have to be active in estimating the risks attached to data processing. Once you’ve got the full picture of your data streams, compare it to the rules and regulations. What makes it particularly difficult for big companies is that they have to deal with so many other regulations as well as GDPR. But it is important to give GDPR priority.’
Are companies now stepping up their game because of the risk of large fines?
‘That’s hard to say. In the Netherlands, the regulators are fairly small and not that powerful. More than that, the Dutch Data Protection Authority is not exactly aggressive in its approach. Of course, you can’t assume that will continue to be the case because all it takes is one major privacy incident and the mood can quickly change. Fines can be as high as €20 million and that is not exactly small change for many firms. At the same time, experience has shown that big firms regard fines as part of their business case and are not afraid of them either.’
Can you give an example?
‘The hacking of Sony’s PlayStation network is a case in point. The network was offline for a month after hackers managed to break into a database containing the unencrypted passwords of 77 million users. Sony’s CIO had said several years prior to the hack that good security might cost the company $10 million and that he would not spend it to prevent a possible loss of $1 million. In other words, he would rather pay a fine of $1 million than pay $10 million to prevent hacking.’
You advise many major internationals both in the Netherlands and abroad. How have you convinced your clients to deal with security and privacy protection?
‘I help my clients to make the right decisions when it comes to technology and innovation at board level. I recommend they use the help of both in-house and external experts to take the appropriate steps to ensure proper security and privacy protection. For years, I have been urging them to place a responsible disclosure policy on their websites. This is a policy addressed to white hat hackers who are happy to report any weaknesses in your systems that they find. They are the rock stars of tomorrow. They deserve not only to know where they stand, but that they will be rewarded.’
Danny Mekić’s practical GDPR tips
- Only process the personal data you are required by law to process or that the person concerned has given you permission to process
- Only collect personal data which is necessary for the aim it has been collected for
- Don’t use this personal data for any other purpose
- Keep this information for as short a time as possible
- Describe all the personal data your organisation processes, including the purpose, length of time you are keeping the information, and the security measures you have taken
- Don’t forget to make sure your staff are aware of the importance of data protection by using training courses, workshops and presentations
Danny Mekić launched his first technology company when he was just fifteen years old. Two years later he left high school to focus on being an entrepreneur full-time. He followed a roundabout route to the University of Amsterdam, where he studied law and has now become the foremost Dutch authority on technology and innovation. An entrepreneur, investor, opinion leader and boardroom advisor, Danny has challenged dozens of multinationals, government bodies and non-profit organisations to make sure they are future-proof.