The GDPR may have only been in effect for a few months, but member states have been far from sluggish. Regulators around the world have steadily grown their staff numbers and expertise. As one example, the Irish Data Protection Commission (DPC) has grown from less than 30 employees back in 2014 to 130 staff members in 2018, with plans for further expansion of staff and expertise in 2019.
This is especially noteworthy because many of the world’s biggest tech companies have their EU headquarters in Ireland, and the Irish DPC has a pivotal role in the implementation and enforcement of GDPR. This means that any complaints filed against companies like Facebook, Twitter, Microsoft, LinkedIn, and Google are under the purview of the DPC.
Worlds will collide in 2019.
In fact, they already have! The first infringement complaints came on the very day that the GDPR came into force when the nonprofit organization noyb.eu presented four complaints against Facebook, Instagram, WhatsApp, and Google.
Worryingly, too, in a survey conducted byafter the GDPR deadline, only 36% of respondents reported having a dedicated privacy function. And only three-quarters had appointed a data processing officer (DPO). Some companies didn’t even know if they needed to.
More alarmingly, 20%-30% had little or no confidence that they could meet core compliance requirements, respond to new rights afforded to customers, or control personal information in their content systems.
This lack of preparation could cost some companies dearly—in 2019, you underestimate the GDPR at your peril! Indeed, even as the new European Data Protection Board sets up shop, one hospital in Portugal has already had three sanctions imposed against it totaling €400,000, while a German social network was fined €20,000 after a hack caused over 800,000 email addresses to be leaked, along with over 1.5 million usernames and passwords.
Even though we haven’t seen the colossal fines threatened by the GDPR—4% of annual global revenue or €20 million, whichever is higher—laws are only as strong as their enforcement, and GDPR regulators are circling. Officials will continue to scrutinize implementation measures taken by companies, and the methods of scrutiny will only improve.
Privacy policies may be updated, tools created to give users more control, and more ways adopted to request that data is deleted, but the GDPR is only now revving up for action. Hence the large number of (sometimes annoying) geographically coded consent pop-ups that appear across websites on EU IP addresses. Don’t forget: The GDPR applies to any site or mobile application collecting data from EU residents.
On this, according to UK-based research, over 1,000 US news websites were being blocked in Europe shortly after the GDPR launch.
A goal of GDPR in 2019 is to encourage (forcefully or otherwise) companies to implement “privacy by design.” Article 25 positions data protection as an integral part of technological and IT development, as well as how a product or service is delivered. GDPR is not specific about how you implement these changes, but for many organizations adopting a privacy by design approach requires a significant culture change.
Processes are the backbone of GDPR compliance in 2019. After all, implementation is all about documenting and developing processes and obtaining opt-in consent and reporting data breaches. Plus, provisions such as a request by individuals to access information about their personal data processing, require… processes.
As such, there is massive scope forto implement GDPR in 2019 by identifying existing processes and developing new ones for compliance. Under the ‘right to be forgotten’ requirement of GDPR, finding and deleting personal data is a process problem, not a data problem. Companies need to know how information is processed throughout the entire enterprise to detect and remove all instances of the name/data.
Understanding processes is necessary for compliance. Companies that have addressed processes rather than limiting their actions to protecting their database from breaches will be in a more defensible position. In other words, if an organization has made a ‘sufficient’ effort to locate all the instances of the use of an individual’s data, then even if the effort were not 100% successful, the intent would be recognized.
The global impact of GDPR is obvious. Since its implementation, at least 10 countries outside the EU, including Australia, Argentina, and Brazil, have moved to implement similar rules. For advanced economies, updating their domestic legislation will be relatively straightforward. In some cases, countries are copying the GDPR almost word for word.
But spare a thought for the emerging countries! They must balance the need to access the EU’s market of 500 million customers with the economic pressure to encourage domestic innovation. Developing economies such as Uruguay and India have managed to devise comprehensive regulatory frameworks to meet the EU’s rules whilst also being sensitive to their own economic and cultural trajectory.
SPOILER ALERT: GDPR applies regardless of Brexit and CASS. Read our post:.
But let’s set one thing straight, the future of the GDPR isn’t about penalizing organizations, it’s about protecting the consumer. It is about having the technology and expertise to make the critical principles of trust and transparency the bedrock on which you build your organization.
To understand what the GDPR means for you in 2019, and into the next decade, you need to remodel the GDPR in your interest: Getting Data Protection Right. After all, you shouldn’t fear what you already know!
… Now please, rewind after reading.
To learn more about the GDPR, read ourand industry-leading resources. With Signavio at your side, you have everything you need to thrive under the GDPR and far beyond 2019. Sign up today for a .