This Thursday marks the one-year countdown until the General Data Protection Regulation (GDPR) comes into effect, and the interest in the upcoming legislation is intensifying. It’s also catching on internationally, outside of the European Union (EU).
At the March Cloud Expo Europe event in London, cloud was naturally the biggest talking point. I'm convinced more than ever that 2017 will be the year of the cloud. Not far behind it, though, GDPR was nipping at its heels as a topic. I had many international delegates and customers asking questions about it at the show. Additionally, I heard other vendors talking about it, too.
Some discussion has been around GDPR being hyped up and peppered with doubt as to whether it will amount to any kind of a big deal. Here's a few comments that I've heard firsthand or had repeated back to me:
- 'It's going to be like Y2K - lots of hype and nothing will happen'
- ‘We’re public sector; GDPR doesn’t apply to us’
- ‘We don’t think GDPR will be enforced; we’re going to wait and see’
- ‘GDPR doesn’t mean anything in the UK because of Brexit’
- ‘Our operations are outside the EU, so GDPR doesn’t really apply to us’
Up until now, if a customer or prospect said this stuff, it had only been an opinion. All you could offer back was your own thoughts. Things are starting to change, though. An article about the UK's Information Commissioners Office (ICO) preparations for GDPR provides a great example while debunking all the aforementioned reservations. This isn’t specific to the UK either; the same is taking place in just about every other EU country.
The ICO is the UK body that enforces the current data protection laws; the article covers international enforcement, government backing, increased capacity and all of the other things the doubters are citing. (Note to the UK folks: clearly the ICO thinks Brexit makes no difference whatsoever).
The same steps are being taken in other countries. Germany is arguably ahead of the pack since it already instituted laws necessitating Data Protection Officers. Legal councils and regulators are already used to the existing strict data privacy laws. Last year, the Netherlands adopted laws similar to GDPR with regard to data breaches, but it will have the rest of the regulations to implement in May 2018. Same holds true for all the other EU countries.
The bottom line is that as regulations go, vague words like ‘adequate’ and 'reasonable' are being used. It's likely an invitation for the courts to clarify. This doesn't change the fact EU countries are gearing up to take these regulations seriously. Like this piece in Computer Weekly, as well as other similar articles, there is plenty of information regarding privacy and data management to keep the CDO and compliance team busy inside your organization for quite awhile.