The May 25th deadline for the General Data Protection Regulation (GDPR) is rapidly approaching. If you’ve avoided thinking about GDPR until now then by some miracle you probably don’t need to. For the rest of us, we’re reaching a critical point in the adoption of new rules about how we handle personal information.
At least the frenzy about what to do seems to be dying down. I no longer receive several emails a day offering me consulting help to become compliant. Now, I see articles and whitepapers containing checklists of what must be completed and invitations to seminars focused on what will happen after May 25th.
If you are still looking for information, I have included a few helpful resources.
1. A good introduction from the European Commission themselves.
2. SOLA consulting produced a nice summary on 1 page (pdf).
3. Latham and Watkins checklist is a good example of those produced by law firms.
Most organizations have a plan that they’re executing against. They have assessed the risks, taken advice, and put in place procedures to make the required changes. Some are even suggesting that it will be like Y2K – a huge amount of work followed by an anti-climax and people asking what was all the fuss about.
In my view, there are two important differences to Y2K. Firstly, Y2K was a specific IT problem created and cured by the technology industry. It did not involve a lot of interpretation and regulators had fairly simple and well defined objectives. Secondly, when you got through Y2K, a few days later you were done.
With GDPR there is likely to be on-going adjustments required for some time after the start date as everyone gets experience with how things will work in practice. There is no definitive view on how the new rules will be policed and enforced in practice by regulators. It is clear that there are groups and individuals planning to bring test cases and the outcome of those will not be known for some time. As those cases progress, formal and informal precedents will be set. Inevitably, choices and decisions you’ve made will need to be revisited.
Time will pass before a new normal is achieved and your organization may need to adjust in ways you didn’t expect. If we’re lucky, the new environment will be more about the spirit of the directive and not the technical details of specific cases. Every organization is going to have to do more in the areas of knowing what they do with personal data, documenting that, and being transparent about their uses of that data.
In reality, if individuals feel they understand how their personal data is used and organizations can still work efficiently, then the directive will have met its primary goal of providing a framework that allows more personal data to be exchanged electronically to promote e-commerce across the EU. As the regulation says:
Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.
Right now, the focus should be to deliver your current plan and put in place the policies and systems you think you need. After May 25th, keep learning. Watch what happens in your industry and markets and be ready to make measured responses.