It has been 2 weeks since the GDPR came into force, on the 25th of May, and organizations around the world continue to scramble in their compliance journey. The new data protection regulation gave a two-year heads-up to the global industry so that it had time to integrate data protection and privacy into its internal protocols – administrative and technological. Unfortunately, there are many corporations that took the it lightly and only began to prioritize compliance when the deadline was set to expire in less than a month.
A study conducted by Deloitte shows that 45% organizations have a dedicated privacy function, 32% manage privacy within another function, and 23% organizations don’t have a formal privacy function at all. A Forbes Insights Survey of 400 organizations found only 6% deemed themselves fully compliant with the GDPR while 40% considered themselves somewhat capable.
The journey for data protection and privacy that the GDPR has initiated has only just begun. Compliance, although a long and tedious process with significant financial cost, is only the first step on this journey. Many organizations are under the impression that they have mastered data protection with the new standards they have adopted to comply with the GDPR, but this cannot be further from the truth. Data privacy and protection as envisaged by the new regulations is intended to be an ongoing process with consistent innovation and improvement of information security measures. The unanimous consensus is that privacy will become an organizational feature that will influence the industry’s competitiveness.
Organizations which have already implemented information security solutions now need to focus their data security priorities to conquering another obstacle – maintaining their current data management standards– requiringconsistent monitoring of the organizational and technical measures they have adopted. These organizations must focus on developing control mechanisms capable of identifying possible contraventions as well as potential data risks, especially if any of them intend to increase the scale of their operations.
Similarly, most cross-organizational transactions will also have to accommodate the provisions of the GDPR such as mergers and acquisitions. Any such agreement will have to incorporate terms governing data protection and privacy, as well as repermissioning and reconsenting where necessary. Thus, organization will have to consider the broader impact of the regulation on their commercial operations.
Another consideration is the impact GDPR will have in the integration of new technologies should any organization be so inclined. The transition process that adapting new or upgrading obsolete technology entails, is exceedingly complex and only becomes more intricate as the organization’s scale of operations grows. In addition to this, the incoming IT systems and processes now have to be GDPR compliant with features such as privacy by design. Unless there are operational procedures in place to address this transition, there is a strong likelihood that controller-organizations may be in contravention after their systems have been upgraded even though they were compliant before.
The GDPR is a relatively new law and there is a dearth of expertise in the techno-legal field capable of addressing the concerns being raised after it has come into force, even as the official guidance is slowly developing. There is a large possibility that controller-organizations continue operations believing they are compliant with the new requirements especially with regard to technological restructuring and may discover on a later date that they did not comply with requirements such as privacy by design or the appointment of an EU representative if they do not have a physical presence in the Union.
Simultaneously, the Member States might change individual requirements under different parts of the regulations which must be adhered to in that Member State’s territory. Thus, standards and measures considered sufficient to comply with the GDPR in France may not hold up under the stricter regulations applied in Germany leading any organization with offices in both countries and universal data protection standards to face risks of contravention.
Organizations also need to consider several other issues that arise after they have begun compliance such as the lifecycle of their implementation measures and whether they would sustain in the long-term, the development of data protection law as the European Data Protection Board takes decisions on new complaints, as well as the upcoming data protection laws around the world which might require revision in protocols. The European Commission is also going to release the ePrivacy Directive to regulate telecommunication services available online which includes rules surrounding communication by emails.
The GDPR is here to stay. Data protection and privacy are only going to become more important as we introduce newer technologies and develop better ways to exploit data for economic gain. In the changing landscape of the Information Technology space, the need for awareness as well as for expertise will only grow. Organizations will also have to shift focus and resources towards training and awareness of data protection and data management operations so that they can begin to cultivate talent as well as expertise in these areas, providing them with a sophisticated competitive edge in the time to come.
The GDPR is just the beginning of a long journey towards data protection and privacy. It is but one regulation applicable to one community. Already countries in Asia and Africa have announced their intention to follow in its footsteps. The coming wave of data sovereignty will spell new compliance and implementation challenges for organizations unless they forgo their minimalist approach to the regulation and embrace its objectives as part of their organizational culture.
Advisory to CRIS
Co-founder & CEO, CyberImmersions Solutions
The ideas, view and opinions expressed above are those of the author and do not necessarily reflect the opinions or official position of any agency, organization, employer, or company. The views expressed are for informational purposes only. They are not intended to constitute legal advice. For legal reliance on GDPR compliance, please consult your attorney.