GDPR has been at the forefront of privacy, security, risk, and controls discussions in many firms since last year. Many are in the midst of large-scale compliance programmes, spending enormous amounts with the view of achieving something by the 25th of May (£15 million on average for FTSE100 firms according to a study by SIA Partners).
But the truth is that GDPR compliance is not a defined concept, in spite of what tech vendors and many consultancies – large and small – would like firms to believe. The 99 articles still hide literally hundreds of potential compliance points and many undefined language elements ('large scale', 'state of the art', 'adequate' security measures, etc.), over which the guidelines of the WP29 have shed little light in practice so far, and over which the interpretation of regulators will have to be applied.
“What good looks like” is still an elusive idea for many organizations, and as we stated repeatedly last year – mostly in our 2017 white paper – it will take months for precedents to emerge and years for the dust to settle.
Let’s not forget that the GDPR will be enforced by each domestic regulator across the EU, each with their own history and practice around the topic.
- Is it conceivable that some could start to “knock on doors” on May 28th? (May 26th is a Saturday as I was reminded politely at a conference in Paris last December…)
- Is it conceivable that some could take a much harder line than others – or turn a blind eye on some matters – forcing precedents across Europe?
- Is it conceivable that the GDPR could be just a huge sledgehammer aimed at cracking the GAFA nut (and that nothing will really happen for average firms across the continent)?
Those are some of the 'known unknowns' around GDPR.
" So the real deadline is not really May 25th anymore, but the unknown point in time when the first real fine will be set. "
In practice, this will take at least several extra months (the time for the first incidents to be detected, reported and where relevant, investigated).
Whether they take a hard line on an irrelevant incident, focus only on the GAFA or other high profile cases, allow themselves to be challenged in court over unreasonable fines, or take inconsistent positions from one country to another, the regulators' role and their credibility could be damaged. They asked for real powers for a decade, now they truly have a hard balance to find.
Does this mean that it is best to do nothing for now and wait (in particular if you are waking up to the problem at this stage)? I don’t think so.
The GDPR forms part of a true evolution of society towards a more responsible use of personal data by the corporate world and public institutions. This is a long-term trend, unlikely to see reversals.
One more time, for those who want to make real progress across the next few months and 2018, the key for now is not to panic, to start by analysing their current level of maturity around data privacy matters and to build a GDPR alignment roadmap that matches their own priorities and their own resources, looking towards the May 25th deadline and beyond as necessary: There are things that will be achievable by May (fewer and fewer as time runs out) and things that will take more time. This must not become a mere box-ticking exercise and will be a matter of cultural shift for many firms: There is no magic product or magic checklist that is going to make you GDPR compliant in a few months if you are truly starting from scratch today.
At this very late stage, the problem goes far beyond financial resources and FTEs if the objective is to create true transformational dynamics on the topic: It is key to ensure that internal sponsorship is at a level high enough to be audible across silos (legal, technical, operational) and across the firm (business units, geographies, key external partners), and to make sure a governance structure is put in place that will track alignment progress efficiently and effectively.
As we have pointed out before, evidence of strong management backing and a genuine trackable long-term approach towards putting in place the “privacy by design” principles which are at the heart of the regulation, should always play in anybody’s favour with regulators, irrespective of the actual compliance challenges you may be facing.