Six months into enactment of the European Union General Data Protection Regulation (GDPR), the International Association of Privacy Professionals (IAPP) hosted an expert discussion on how the post-GDPR world is going so far. The scope and impact of the GDPR are not to be understated; the massive preparatory efforts undertaken by any sensible entity doing business with Europe are now put to the test. With provision for massive fines, the stakes are high, although EU Commissioners insist they are not seeking to be punitive. While there haven’t been any high profile penalties to date, the massive, recently disclosed Marriott breach may be the first acid test of that position.
Two key themes emerged from the discussion: the enormous complications of tracking all of the data a data owner possesses; and the growing complications of privacy compliance as new, disparate laws continually crop up.
Brilliant data scientist and Senzing founder Jeff Jonas tried to explain entity duplication and matching challenges in terms that those of us (read that non-technical people) in the room might grasp. I’ll just leave it there, except to relay that he gave us great insights into how difficult, and pervasive, this problem really is. He also strongly believes his business should not and will not hold any customer data, because with it comes a great burden of responsibility.
What was more accessible for us less-technical was IBM’s forthright presentation on how they’re dealing with GDPR. Richard Hogg, IBM’s “Global GDPR Evangelist”, has spent four years working with heavily regulated clients to prepare for the disruption. Along that journey, he learned some high value lessons about how those who may still be lagging in their preparation can achieve compliance.
He saw the full process as a two-year journey for enterprise-level organizations, so starting well ahead of the May 2018 deadline was important. For those who are still trying to catch up, this may offer a mile marker for how much farther they need to go.
Instituting a common taxonomy and metadata definition that the entire organization could embrace is also very important – you simply can’t affect such a big change without that common understanding and way to discuss it. The GDPR effort also created an opportunity for organizations to rationalize and simplify the diversity of data sources and systems they use. And, going through the heavy lift of the whole process creates a strong framework for future regulatory developments. With new regulations popping up frequently – at the national, state/provincial and even local levels, GDPR is certainly not a one-and-done or bracketed event. The movement to check and balance the use of personal data is global and gaining traction.
Citing an IBM Institute for Business Value and Oxford Economics Study, Hogg noted that of the 1500 respondents across 34 countries and 15 industries, 39 percent saw GDPR not just as a mandatory regulation, but as an opportunity to transform their organizations’ security, privacy and data management. That’s an encouraging and frankly optimistic perspective to take. More encouragingly, 59 percent see it as an opportunity for broader business transformation for three key reasons: they see security and privacy as key business differentiators for competitive advantage; they believe it will create new opportunities for data-led models and monetization; and perhaps most importantly, they believe it will enable more trusted relationships and new business opportunities.
With the pending California Consumer Privacy Act, and even the growing talk about the need for a U.S. national privacy law, big changes are still on the horizon. The rising swell of consumer and citizen backlash to the over-use of their data is forcing a shift in practices, and attitudes, that have been slowly and deeply ingrained over the past 20 years of internet development. Perhaps those firms willing to embrace the opportunities arising from the GDPR may be best positioned to sustain and thrive through this transformational time.