As we are approaching the deadline of May 25, there is an increased frenzy towards what lies ahead (read my blog about the Y2K comparison here). I thought it would be timely to look back to what the original goals were, and its main elements. When the text was proposed in 2012 by the European Commission. It also made me realize that the GDPR has been with me for more than 10 years. Ouch.
Pre-2012
Around 2007-2008, the European Commission started reaching out to stakeholders to understand their views regarding the, at that time, 12-year-old Data Protection Directive. Then Commissioner Vivane Reding and her, now even more well known, aide Martin Selmayr were the driving forces behind this discussion. This led to a couple of consultation processes resulting in the final proposal in 2012. There were 2 main goals: reduce administrative burdens and increase the rights of data subjects (click here for the original press release).
To Harmonize or Not to Harmonize (or a Little Bit)
The 1995 Data Protection Directive set out the general structure and framework. Over time, however, various interpretations existed across Europe. This made it more difficult for organizations to address some of the privacy issues across the EU. The harmonization push was definitely one of the main drivers to go for a Regulation (for the difference between a Regulation and Directive, click here). The discussion on a lead authority was another example of this discussion. So where do we stand? It definitely is a Regulation. But I see a risk on two fronts: one, potential divergences during the current GDPR implementation discussions at the national level; the other one is the potential for divergent national guidelines by Data Protection Authorities. I believe that the new European Data Protection Board will play a crucial role in ensuring convergence. However, I also believe there remains a strong role for the European Commission to track implementation laws and guidance.
Notification vs Documentation
In 2012, the European Commission said the GDPR would save business up to ?2.3 billion a year. Part of this would come from the removal of the notification obligation, where organizations would have to notify certain processing. At the same time, there was a documentation obligation. I have welcomed the need to provide certain audit trails regarding data processing at crucial points, for example, during the development stage, noting when certain decisions have been made. However, it remains to be seen if the notification obligation has been replaced by a much wider obligation to document and if there will be an actual cost reduction.
Increased Control
The right to be forgotten, to me, an old concept in a new political dress, was intended to send a strong signal to organizations that control should lie with users. At the same time, the stricter focus on lawful grounds of processing, with consent attracting most of the attention, also serves as a driver for more transparency and control to the user. The coming months will show how organizations and users are going to handle and execute on these rights.
Enforcement
Arguably the most striking difference with the Directive is the big enforcement focus. With fines of 2% to 4% of annual global turnover, the law definitely has more teeth than its '95 predecessor. I strongly believe that this has enabled the data protection officers to raise the attention to the topic all the way up to the board level. However, it will be interesting to see how the national DPAs will handle their discretion around the actual fining of organizations and to what extent they will take into account efforts made by those organizations. Another interesting dimension will be to see how much emphasis will be placed on remediation programs instead of/in addition to fines, much like we have seen in the US with the FTC.
I strongly believe that the GDPR has become a game changer. A framework backed by strong enforcement is changing the mindset in the market. My discussions with customers and partners on GDPR implementation are a testament to that. These kinds of discussions wouldn?t have been possible 5-10 years ago. However, there is still a range of practical challenges and questions that need to be addressed.
If we really want the GDPR to become the gold standard across the world, we all need to keep some of these core tenants in mind.