GDPR: Gigantic Disruption of Professional Resources?
On May 25th, 2018, one of the most sweeping regulatory requirements concerning personal data protection will take effect in the EU, but its impact will be felt globally. It is, of course, the General Data Protection Regulation, or GDPR. It's compulsory, carries oppressive fines for non-compliance, and has the entire continent (and much of the rest of the world) literally throwing money at consultants and compliance experts to help affected organizations "mind the gap," so to speak. Perhaps, then, a more apropos name would be the "Gigantic Disruption of Professional Resources." But, alas...
GDPR: Was ist das?
So, what in the heck is this regulation, and why is the whole world on edge about it? Good question. Despite the fact that the law defining it spans 88 pages (which, coincidentally, proves that the Europeans are still rank amateurs compared to the US when it comes to unnecessarily long legislation), the basics of it are simple. The EU's GDPR Commission synopsizes it as follows:
The objective of this new set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business. The data protection reform is a key enabler of the Digital Single Market which the Commission has prioritised. The reform will allow European citizens and businesses to fully benefit from the digital economy.
The remaining 87 7/8 pages of the text can be found here, if you're so inclined, but the most important things to understand are:
Everyone has personal data that they're entitled to keep secure,
Every organization that holds any personal data is only allowed to keep ONE copy...and only if that person grants them consent, and
Just about anything that compromises #1 or #2 results in a rapid draining of your bank account in the form of non-compliance fines.
To Comply or Not To Comply...Isn't Really The Question At All
Compliance with GDPR is compulsory and will carry significant fines for failing to do so. Organizations generally become compliant in one of two ways:
Conduct an internal audit to identify all versions of personal data, consolidate it to one file in one location, have the individual it's connected to verify the organization's consent to have said data, and edit/update/secure as appropriate, or
Securely pass all personal data back to the individual it's connected to via a secure file-sharing platform, allowing the end user to grant and control consent authorizations
Of these options, the first is far more expensive, time consuming, and maintains liability for data security with the organization. Option 2 can be implemented nearly immediately and, by shifting the control of sensitive data to the end user, both shifts liability away from companies AND makes it significantly more difficult for hackers to illegally access large amounts of personal data. Hmmm. Doesn't sound bad, right? Maybe GDPR should actually stand for a "Genuine Declaration of Personal Responsibility."
Don't get too excited, Jacques. Remember, this is still a government regulation we're talking about...
Quel est le prochain, mon ami?
Ah yes, what's next? As with any sweeping regulatory change, I believe prudence is in preparation. And while it still remains to be seen if GDPR will launch on time...or if it will have the "teeth" it promises...or if it will improve data security, I wouldn't tempt fate by betting against any of these. The one thing for certain regarding GDPR is that no matter where you live, we're all in this together (not even Brexit can change that). So, in the mean time, if you want to quickly and efficiently pursue compliance, I recommend checking this out. Just remember, GDPR will be big, it will be transformative, and it will be here before you know it. We're here to help.