In the run up to May 2018 the corporate world was dominated by GDPR panic.
Inboxes brimmed with emails begging us to opt in to marketing lists. Businesses frantically started looking for Data Protection Officers and deleting personal information by the score. Firms began prepping for ICO audits. Myths and rumours abounded.
But has it been the millennium bug all over again? So far there have been no record-breaking fines and it’s been pretty much business as usual. So what was all the fuss about?
The underwhelming truth
Part of the GDPR hysteria was due to the many additional requirements brought in by the regulation, which constituted the biggest change to data protection law in over 20 years. With such high fines, no one wanted to risk regulatory scrutiny and possibly lose 4% of their global annual turnover. As such, most firms wanted assurance that they were 100% compliant by the GDPR deadline. But compliance can be subjective, especially for a new and complex regulation. This is a new piece of law – but based on familiar principles – and it is still not always clear what standards organisations are required to meet.
But now the GDPR is in full swing and we’re starting to get an idea of what good looks like. And as this becomes better established, the likelihood of fines could increase.
Winning hearts and minds
Data protection isn’t going away and it’s time to embrace the change. The main features of GDPR are much the same as under the old data protection law, but it is a lot more detailed in terms of how organisations have to both comply and demonstrate that they are complying. Compliance involves embedding a culture of respect for personal information and individuals’ information rights. Training and mentoring can play a big part in embedding that culture, especially over the next few years, until data protection really does become business as usual. With the right culture, compliance will be easier to maintain in the long term.
“We’re compliant, we don’t need to do anything else – right?”
Despite the hysteria, some firms buried their heads in the sand and hoped the regulation would go away. So there will be some remaining planning and implementation work for a lot of organisations. But even those who were in a good state of compliance by the day GDPR came into effect, many will still have to approach this as an on-going exercise. For example, “records of processing activities” will have to be kept up to date.
Compliance is an ongoing challenge. GDPR should now be factored into business as usual, recognising the importance of information rights and establishing data protection best practice. The emphasis should be on creating a robust and coherent governance framework, that can be maintained and adapted according to technological and other changes.
Anticipating the wider implications
While GDPR specifically refers to personal information of EU citizens, many firms strive to implement a global programme based on the regulation as best practice. This is doable but you need to think about local data protection requirements and variations in each territory, rather than taking a once size fits all approach. But, it is true that a principle-based approach focusing on the highest risk areas (transparency, security, rights, for example) can have effective global reach.
It’s also worth thinking about what GDPR means moving forward. How will it apply in the context of artificial intelligence? Or biometrics? Or disruptive technology? How will privacy-enhancing technologies develop and facilitate compliance? This is a fast-moving area and one that isn’t going to go away anytime soon.
For further information about GDPR and how we can help, please contact our GDPR team.