May 25, 2018 is the date. After years of development, an April 2016 adoption, and a delay period to allow affected parties to prepare, the European Union’s General Data Protection Regulation (GDPR) will go into effect next spring. This sweeping new oversight is designed to strengthen data privacy and security for EU residents and also covers export of data outside the EU.
Some are comparing the change to Y2K, a looming event with potentially serious and costly ramifications. (Or as it turned out, maybe not.) And just like Y2K, there are myriad firms willing to assist—for a fee.
This leaves many IT leaders wondering what’s really coming down the pike. Do they need to invest massive amounts in GDPR compliance? Should they be hiring consultants? Or can they ignore the GDPR altogether?
According to the UK’s information commissioner speaking to Wired, the GDPR is “an evolution, not a revolution.” So not scary? Maybe, but then tell that evolution story to the T-Rex.
The biggest problem may be lack of knowledge. An NTT survey of over 1,300 business decision-makers worldwide found most are largely unaware of the GDPR and its impacts on their companies. A little information can go a long way in settling nerves and helping organizations prepare, so we’ll do our best to cover the basics here.
Together in Perfect Harmony
Let’s start with the overarching goal of the GDPR. The regulation replaces 1990s era policies, which have not been significantly updated and are not, in most experts’ estimation, up to today’s privacy and data-protection challenges. In the wake of the Equifax breach, word that Google was secretly collecting smartphone location information even on users who had that feature turned off, or any other of the recent privacy-busting revelations, it seems that, yes, some work needs to be done to protect consumers’ personal information.
The GDPR aims to harmonize data protection, ending the “patchwork” of laws across the 28 EU member states. Although there is some debate over the policy’s tension between standardization and member-state flexibility, it is commonly accepted that flexibility will be highly limited.
This may be a win for enterprises, even as they work to understand and comply with the GDPR’s nearly 100 articles. As it will become the world’s most stringent regulation on most counts, it is expected to have global impact, becoming the de facto international standard. “GDPR-compliant” may become a consumer catchword for “safe.”
Once the multinationals—or any business operating or collecting data across borders—can get accustomed to the new rules, the simplicity of a single dominant standard, not to mention the bolstering of consumers’ flagging confidence, may be beneficial.
Achieving compliance will, however, take time and attention. We will devote future blogs to covering who is affected, the central GDPR requirements, and what some organizations are doing to come into line.
Chris Adams is President and COO of Park Place Technologies. Contact him at email@example.com.