GDPR: The Countdown to 25 May 2018
As I mentioned in my previous blog, I had the pleasure of getting different perspectives on GDPR at the 2018 Computers, Privacy and Data Protection conference. That blog looked at the data subject view of GDPR, whilst this one will summarise what I learned from listening to lawyers, policy makers and academics.
The General Data Privacy Mood
Whilst at the conference, I spoke to a few people from different backgrounds, and asked their views on GPDR, and the effects it is having on their professional life. The opinions were from lawyers, policy makers and academics, and the bulleted list covers some broad topics:
- The Data Protection Officer role is being taken more seriously. At first the role was thrust on people who were ‘the last to say no’ – often people absent when the role was assigned. As the responsibility of this role is better understood, DPOs now being assigned are both more influential in the organization, and more suitable for the role. A background in law and technology is highly sought after for this role.
- The ability to comply with GDPR in a blockchain implementation is uncertain. Whilst individual applications can encrypt the data stored, the right to be forgotten could be problematic. The geographical issues posed by blockchain processing will also have to be considered, as most of the processing capability currently resides in Asia.
- Interestingly the blockchain panel had people with completely opposing opinions as to the value of Blockchain, and how best to deploy it. Clearly the unknowns about how best to gain value from blockchain currently outweigh the data privacy and concerns about the technology. Once use cases are well defined, they will have the benefit of being implemented from the beginning to comply to the GDPR.
- Many lawyers are not being prescriptive about what GDPR compliance means. Instead they are working with their customers to interpret the requirements of the GDPR within the context of individual organizations business processes, data requirements and risk profile.
- Privacy advocates are concerned about the level of preparedness for the GDPR. This regulation did not appear in a vacuum of data privacy laws. Most countries already have data privacy laws – but there is a concern that compliance to these laws has been lax.
A Word From The Regulators
The most interesting panel for me was clearly the panel titled GDPR Implementation: The countdown to May 2018. (So interesting, I have used the title in my blog). The first thing I learned in the panel, is that GDPR has a ‘Godfather’ – that is a single person (Jan Phillip Albrecht) championed the regulation from the initial drafts through to adoption in the European Parliament. Jan Albrecht sat on a panel with Renate Nikolay (EU); Mark Cole, University of Luxembourg and Eric Miraglia from Google. They were discussing what to expect not only in the next few months, but also after the regulation comes into force in May 2018. Some of the key points I found interesting are:
- The biggest achievement of GDPR to date is the increased consciousness about data protection law. This was played out in many conversations I have had at the conference and in separate conversations with Informatica’s customers over the last 12 months. However, the panel confirmed the unprecedented level of executive attention and support for data privacy under the GDPR.
- The policy makers want GDPR to succeed. They are looking to support those who have been left behind – specifically SMEs. Smaller businesses have been under the false impression the GDPR does not apply to them, and are therefore late in their compliance efforts.
- Data Protection Authorities (DPAs) do not have a choice if they will enforce the GDPR within their country – they must do so by European law.
- Given the raising levels of interest in data privacy globally, there is an understanding that the GDPR may need to be adapted in the future due to unforeseen elements and/or global data privacy initiatives.
- Communication (internally and with data subjects) is key, as is the ability to demonstrate with a high level of confidence that you are doing the right thing. Without these two aspects, ending up in court seems likely.
- To comply with the GDPR, efforts should be implemented in a horizontal manner across the organization. As data is everywhere in an organization today, the GDPR will touch most departments and business processes.
One big question on everyone’s mind as the May 2018 deadline looms closer is: Who will be first? And by extension to this question: How likely is it that I will be an early target of data subjects’ rights, or the regulators interest?
Clearly nobody can answer this question for certain, as much as nobody is sure exactly what constitutes compliance on some of the legal concepts that are more difficult to understand. However, if you do come under GDPR scrutiny, Jan Albrecht had some very balanced insight into the process:
“100% compliance [to the GDPR] can never be achieved, we know it. We try to achieve as much compliance as possible, and we see that enforcement actions are, and have to be proportionate.”
Of course, he was also quick to point out that the GDPR will apply no matter what!
With all this information on board, my thoughts on GDPR compliance have changed little, instead they have been re-enforced by listening to other viewpoints. There are key themes in terms of compliance that keep reoccurring:
- Do not take GDPR lightly. Even if your organization doesn’t immediately catch the eye of your DPA, the data subjects whose data you manage are, on average, highly interested in the processing of their personal data – and interest will probably increase.
- GDPR was not designed to punish organizations that process or store data per se. It was designed to allow people to embrace all technology our increasingly digital world offers us – but without fear. That is, instil a level of trust between data subjects and data controllers/processors.
- Expect and embrace change. Change is not necessarily restricted to the GDPR, but as data privacy becomes a higher concern globally, we could see many other laws requiring elements of the GDPR in other countries.
GDPR compliance is a journey that will look different in every organization. Those organizations who embrace data governance and management as practices across their organization will fare the best. That is, if you increase the levels of data management in your organization (starting with the personal data governed by GDPR), you will reap the rewards in terms of business value far beyond compliance. You will also be in a better position to adapt to future regulations regarding data. Those who put in very specific technology to check a few GPDR boxes, and with their eyes only on May 25th 2018 may find significant rework as GPDR precedent is set by court action, or they need to comply to other regulations regarding data.
That is, if you increase the levels of data management in your organization (starting with the personal data governed by GDPR), you will reap the rewards in terms of business value far beyond compliance. You will also be in a better position to adapt to future regulations regarding data. Those who put in very specific technology to check a few GPDR boxes, and with their eyes only on May 25th 2018 may find significant rework as GPDR precedent is set by court action, or they need to comply to other regulations regarding data.