May 25th is a big day in the business world, a day which many organizations have spent years preparing for. On this day, the European Union will begin enforcing the General Data Protection Regulation (GDPR).
GDPR seeks to create a harmonized legal framework for Data and Privacy and in effect puts citizens back in control of their data. In light of increasing angst about “data dominance” by a decreasing number of companies and with the recent revelations and “mea culpa’ from Facebook, there has never been a stronger focus on the intersection between Data and Privacy.
As with all such regulations, the tendrils reach much further than what meets the untrained eye. Not only are there strict rules about Data usage, but also on hosting and processing. Furthermore, citizens have the “Right” to be permanently “forgotten.” Companies that decide to flout or ignore this regulation do so at enormous financial risk, not to mention PR risk. To be clear, paying simple lip-service to GDPR doesn’t suffice: companies must furnish proof that they are indeed complying and have reduced the citizens’ exposure to breaches.
There are countless places on the Web to learn about the intricacies of GDPR, but that is not the main point of this blog; instead, here we aim to provoke a discussion by asking a very basic question: “GDPR is here, so now what?”
First in the list of “Now What’s?” is the fact on which most experts agree: Most organizations are woefully underprepared for GDPR. From well-meaning not-quite-ready companies to those that openly disregard and challenge regulation and government authorities, most organizations are unprepared for the stringent requirements nor for the consequences associated with the regulation. There is still a chance to right the ship, and because of this lack of preparedness there will be enormous opportunity in conflict resolution, litigation, and customer-connection/satisfaction.
That said, the real “Now What” is a completely different beast in our opinion. We believe that the pendulum will swing back strongly, in a shift from Corporate self-governance to a Regulation-based world. Increasingly, governments and citizens are fatigued by breaches of privacy and security. Increasingly, governments and citizens believe they have ceded power to a few large technology corporations. Books, academic articles, blogs, and screeds abound on this “abuse” of power. Whatever a person’s politics, there is no doubt a shared concern over the propriety and integrity of the relationship between large Data players and citizens.
A New Paradigm
What this means is that Regulation will creep back in, in more spheres of business. With this trend, organizations must engage experts both internally and externally on an ongoing and sustained basis to understand, anticipate, and manage the Regulatory frameworks that will emerge.
For some, these issues are cast in a political light. For others, it’s strictly business. Some perceive issues of Data Protection as moral and ethical, while others see them as simply practical. Wherever individuals or organizations stand on GDPR and other regulations, one thing is for certain: All organizations need to prepare for a new paradigm with more vigor than they ever before.