GDPR…4 letters that strikes fear into people and may have caused some people to cry. It’s been 7 months since GDPR went into effect. What’s happened in GDPR’s first 7 months and what’s going to happen in 2019? Why should you care?
On May 25, 2018, the GDPR (General Data Protection Regulation) went live. GDPR was designed to protect the privacy of EU residents. All organizations that process EU resident personal data, regardless of where they’re located in the world, are part of the scope of GDPR.
Your organization probably falls into one of the following categories: (1) Organizations that are part of the scope of GDPR and are GDPR ready. In most cases these organizations have worked a minimum of 1 year to get GDPR compliant. These companies found out there are many pitfalls and challenges to get GDPR compliant. And they found out their work isn’t finished yet; (2) Organizations that are part of the scope of GDPR and are in the process getting GDPR compliant. These businesses are finding out just how many moving pieces there are as they try to get compliant with GDPR; (3) Organizations that are part of the scope of GDPR and are taking the wait and see attitude. Since it’s an EU regulation these organizations are waiting to see how the regulation will be applied before they invest in a GDPR strategy; and (4) Organizations that aren’t part of the scope of GDPR. These companies may or may not be working on a GDPR or privacy strategy.
In 2019, you’ll see the U.S., and more individual U.S. states and other countries develop new guidelines for data protection and privacy. GDPR will be used as the benchmark for new data protection laws. For example, the CCPA (California Consumer Protection Act) that was passed and amended earlier this year has been called “GDPR lite”.
Earlier this year, the U.S. Federal Government announced its plans to establish U.S. consumer privacy standards. Two federal agencies within the U.S. Department of Commerce (NIST and NTIA) are working collaboratively with the public and private sectors to develop voluntary frameworks for privacy. But there is a lot of debate if privacy legislation is needed at the Federal level. 2019 will be a critical time to see how this affects businesses.
Data breaches continue to increase in 2018 and consumers throughout the world are concerned about protecting their data. Data Breaches have affected millions of people and there’s a good chance that you or your friends have been affected by a data breach. Many consumers have made it clear that they would stop engaging with a company online and would stop engaging overall if the company experienced a data breach. With or without GDPR, consumers will expect organizations to keep their data secure and safe.
Consumers are concerned about who has access to their data and want to have control of their information. Organizations will need to demonstrate they can protect their customers data to build trust. Going forward into 2019, establishing trust will be one of the most important factors when engaging with consumers.
Organizations that are GDPR ready or are implementing their GDPR strategy will absolutely have a competitive edge over companies that aren’t taking any action. If you’re doing business with organizations that are GDPR compliant they will ask you to sign a Data Processing Agreement that states you’ll protect any EU personal data that they provide you per GDPR guidelines. If you’re unable to sign these agreements you may lose business. I can also foresee companies making it mandatory to be GDPR compliant before you can participate in the RFP or RFI process. Lots of businesses are taking privacy seriously and so should you. If you’re an organization that isn’t working on a GDPR or privacy strategy you’re falling behind the curve. Remember, people work with people they trust.
TRUST - Assured reliance on the character, ability, strength, or truth of someone or something: to place confidence in: rely on
When GDPR was first introduced. One of the first things that people read and talked about was the fines. The maximum fine is €20 million (roughly $22 million) or 4% of global annual turnover from the prior year, whichever is greater.
Earlier this year the first GDPR fine was reported. AggregateiQ Data Services Ltd., a Canadian based company, faces maximum fine is €20 million for allegedly exploiting people's private information from Facebook. AggregateiQ has appealed. There have also been a handful of other companies that have been fined.
The EU DPAs (Data Protection Authorities) are busy. The DPAs from Ireland, Germany, France and the U.K. have all seen a significant increase in data breach reports and privacy complaints since GDPR went into effect on May 25th.
The DPAs will continue conducting GDPR compliance audits in 2019. But the primary focus will be working with organizations to achieve GDPR compliance. Fines will still be imposed but only on organizations that don’t take privacy seriously or don’t cooperation with the DPAs
So why does GDPR strike fear into people? The GDPR regulation is a legal document that includes 88 pages, 11 Chapters, 99 Articles and 173 recitals. Yes, the regulation is very complex, difficult to understand and ambiguous. If you’ve been named the Data Protection Officer or you’re responsible for the GDPR strategy in your organization, I recommend that you read the regulation.
In 2019 as the DPAs continue to complete compliance audits and begin to apply the GDPR laws, expect the governing authorities to provide clarity on the existing GDPR guidelines and to draft new guidelines to make GDPR more transparent. Organizations that are fined will appeal the fines and some of these organizations will file lawsuits. As these cases are heard, the courts will also help interpret GDPR based on their rulings.
Of course, this makes it challenging for organizations to implement GDPR standards. Businesses need to understand GDPR compliance is an ongoing process. Organizations will need to continue growing their privacy programs as GDPR is redefined, as U.S. states enact new laws (like California) and as more countries introduce new privacy laws.
As 2018 closes some of you may be asking yourself. Is the GDPR nightmare over? The answer to that question is NO! 2019 will mean increase privacy challenges for organizations. But don’t take the wait and see attitude. Start that strategy today to stay competitive. Finally, I always ask companies how much it would cost them to become GDPR complaint. The answer is always less than €20 million.