By Mahmood Sher-Jan
CHPC, CEO and founder, RADAR, Inc.
It’s been over a year since the General Data Protection Regulation (GDPR) was adopted, and one year until it takes effect. In my recent travels to conferences, seminars, and meetings with leaders in privacy across the U.S., the GDPR and its fast-approaching May 2018 effective date seems to be top-of-mind for privacy professionals.
When discussing the GDPR, conversations seem to keep returning to the topics:
- Are we prepared?
- What do we risk with noncompliance?
- What does the GDPR signify in a larger context?
In the last year, I have noticed an evolution in the way privacy professionals are talking about GDPR across the board. A year ago–or even a few months ago–conversations seemed to revolve around what is the GDPR, while in recent months the conversation becomes more nuanced: trying to tease out the inherent ambiguities, soliciting clarification, and solidifying how can we prepare and sustain compliance with the regulation.
I find this shift encouraging in that it indicates a wide acceptance that the GDPR enforcement is coming, and will have real impacts on businesses across the globe. It also indicates a growing mindset that preparing for the GDPR is just another mechanism through which you can reassess your current privacy practices and implement improvements for an overall stronger culture of compliance—achieving GDPR compliance as a natural byproduct of pursuing excellence in privacy overall.
Evolving GDPR Conversations: Are we prepared?
There remain many questions about how the GDPR will be enforced, and nuanced in the ways the regulation may be applied, which will need to be sussed out. And of course there are many studies indicating some organizations lag in preparing for GDPR compliance. Consider:
- Gartner released a statement predicting that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.
- In April this year, A NetApp survey of chief information officers, IT managers, and C-suite execs in France, Germany, and the UK reports 73 percent of respondents have some level of concern about meeting the GDPR deadline.
- In October of 2016, Symantec SVP Kevin Isaac expressed concerns following the State of European Data Privacy Survey, stating that “These findings show businesses are not only underprepared for the GDPR—they are underpreparing.”
On a positive note, these figures seem to evolve along with growing preparedness and awareness of GDPR. Laggards in the field are getting wise to this looming deadline. Trainings and thought leadership on the subject have grown exponentially in the last year—groups like the International Association of Privacy Professionals have established programs to offer GDPR bootcamps and trainings, for instance. And articles and lively forum discussion of the particular details of GDPR (the role of a DPO, pseudonymisation and personal data, etc.) further raise the water line of privacy awareness for all of us. My colleague, Alex Wall, recently published Preparing to Comply with the GDPR: Start Now, Plan to Invest.
Evolving GDPR Conversations: The Real Risks of Noncompliance
Since the GDPR was announced, there has been a lot of focus on the substantial fines one risks in the face of noncompliance. The possibility that you could be fined up to 20M Euros or 4 percent of your global annual revenue for an entire conglomerate seems to have effectively gotten the attention of corporate boards, executives, and their privacy professionals. In recent months, regulators have indicated that this threat is not just for show.
In a recent interview, Data Protection Commissioner Helen Dixon indicated a full willingness to apply the full fine as the case may call for it, and when asked if there will be any leeway to ease companies into the new regulation, answered “No. There’s not going to be any amnesty or first or second chances.”
Similarly, Information Commissioner’s Office Head of International Strategy and Intelligence Steve Wood stated in a recent keynote address, “Will there be a grace period? No. You will not hear talk of grace periods from people at the ICO. That’s not part of our regulatory strategy. What you will see is a common-sense, pragmatic approach to regulatory principles.” This indication, that enforcement will be in full effect come May of next year, should be motivating to the aforementioned companies lagging in GDPR preparations.
Evolving GDPR Conversations: GDPR to Motivate Positive Changes in Privacy Practices
Beyond the fines and the very tactical questions of how to prepare and what is the GDPR, are the conversations asking larger questions about proper data stewardship:
- What does the GDPR signify in a larger context?
- How do I create a sustainable and strong culture of compliance in my organization?
- In the journey towards compliance, how does GDPR align with privacy best practices I should be doing anyway?
An example of privacy professionals viewing GDPR as a motivator toward general improvement in privacy practices was a panel session held during the IAPP Global Privacy Summit, titled “GDPR Beyond May of 2018.” In this session, privacy executives discussed long-term compliance efforts, shared aspects of their privacy programs that were particularly effective, and focused on long-term and sustainable privacy practices as the ultimate goal – not just GDPR compliance. I highly recommend reading this recap of the conversation in Infosecurity Magazine.
These conversations are invigorating, listening in as privacy professionals discuss GDPR compliance not just as a distinct regulation to meet, but as part of a larger story about operationalizing and reinforcing strong privacy programs across the board. Some, such as this article from Information Age, laud GDPR as an opportunity organizations should embrace, arguing that the GDPR not only safeguards personal data, but also allows organizations the chance to better understand the data they use, and the value that data can hold. A recent example of this type of commitment was Google’s reiteration of its continued commitment to achieve GDPR compliance by next May’s effective date.Evolving Conversations on the General Data Protection RegulationClick To Tweet