On May 25, 2018 the General Data Protection Regulation came into law for European Union countries, created to protect data relating to E.U. citizens, ensuring the right to know what is being stored, where and why.
For those of us who work in Information Technology, this was not a surprise – we’d been working toward this for months, if not years, and were ready for a new world of data-management best practice with tighter controls over the flow and storage of data combined with data-requests from individuals and the potential of fines for non-compliance.
Fast forward one year and, according to a recent report from the law firm DLA Piper, more than 59,000 personal data-breaches were notified to regulators between May 2018 and January 2019, yet many organizations report being unable to achieve anything near 100 percent compliance. In fact, a report released this week shows that nearly 145,000 complaints and questions were submitted to EU authorities charged with enforcing GDPR in the first year.
Even with these statistics we’re still only seeing a small amount of successful litigation make the news (albeit some of these have carried large fines). Why is this?
For businesses and regulators alike, the first year of GDPR has been a learning experience; an opportunity to work out what the new data-protection landscape looks like, and for both sides to understand how to respond rather than react. The era of data-peace is coming to an end as over the last year we have seen more countries considering, and even implementing, data-protection laws which make the compliance patchwork more complex to navigate. Remember, it’s not just the multi-national organizations which are affected—anyone doing business in a region must comply with local regional regulations.
It’s clear that in the coming years we will see the data protection and privacy landscape change dramatically, improving the experience for us as individuals but potentially making things more complex for businesses. Although these future changes are largely unpredictable, being prepared for new regulations and understanding how best to implement compliance could save time and money in the long run. There are several things that can be done to ensure you’re better prepared:
• Make data-protection legislation a board priority — technology is simply the enabler: It is important to keep the board engaged with current and new regulations. Because any project will need board approval, regular updates on current compliance status and any existing risk will make it easier to get approval for new projects.
• Study the current regulations to help future-proof your business and compliance strategy: Any future data-protection regulations will be an evolution of what is already in place; perhaps local changes due to the digital economy or regional changes from new laws coming into force. Make sure you understand how data flows through the business today, and is kept up-to-date as new systems are introduced. This will make it easier to adopt change due to new regulations.
• Watch for new legislation being proposed for 2019 and beyond: GDPR set a baseline for data-protection and globally,regulations appear which follow the framework established in the EU. Next the EU will establish ePrivacy, a new set of rules covering electronic communuications, which is intended to work in conjunction with GDPR. The world will be watching ePrivacy and it will become a global reference framework in the same way as GDPR. Now is the time to get ahead in understanding ePrivacy and its effect on business communications to ensure you are better prepared for this future.
In the world of Information Technology, change is constant, compliance is inevitable, adaptability is required; therefore, staying one-step ahead of the latest industry advancement is critical for success. This is as true for important regulations like GDPR as it is for technological breakthroughs. There is no data-protection Crystal Ball, but if we watch the development of best practices globally, it is possible to be prepared for the future. For example, GDPR clearly influenced the California Consumer Protection Act which will take effect in 2020, and in India, a draft has been released for a local data-protection act very similar to GDPR. It is clear that data-protection regulation will get stricter around the world as new bills are passed, but with proper education and careful planning, enterprises can overcome the obstacles and reap the rewards of secure data management.
With one very telling and informational year under our belts, it’s time to take what we’ve learned and prepare for what’s to come.