The European Union’s General Data Protection Regulation (GDPR) commanded the attention of the business community throughout 2018. Thought leadership gatherings such as ISACA conferences and webinars attempted to answer questions like, “What does it take to comply?” and “What will enforcement look like?”
Answers were largely speculative, and the actual enforcement processes associated with the regulation are only now taking shape. We can, however, look back at 2018 and make some observations about what has been accomplished, the drivers of compliance activities, and the work left to be done.
At six months past the implementation deadline, many organizations have harvested the low-hanging GDPR fruit. Privacy policies have been updated, cookie notices added to websites, and mechanisms have been deployed to support opt-in, opt-out, and data subject requests. Those using third-parties to process data, or those who are the third-party, have defined commitments and expectations regarding personal Information. Training programs have been rolled out to educate about GDPR-related issues. Accomplishing these items has allowed organizations to mark a significant part of their GDPR checklist as complete and have a reasonable story to tell in case of an incident.
The desire to comply with GDPR and avoid any potential fines motivated much of this activity. Since GDPR, the regulatory landscape has continued to change and evolve. A proliferation of privacy and data breach regulations (such as the California Consumer Privacy Act, Brazil’s new data privacy regulation, etc.) has refocused the discussion from a single regulation to an overall issue of data privacy and business process. As recently explained by a business executive, “There is no way we can fund a new project to comply with each privacy and security regulation that comes along, so we must address these issues at a higher, more efficient level.” These conversations about compliance costs and efficiencies are driving the next wave of privacy-related projects.
Having addressed the basics, many of our clients now seek to reduce costs and lower their overall compliance risks. This often involves a deeper look at the role of data within business processes. Good information governance requires such things as accurate data and process maps, defined data lifecycles, security protections for data, and incident response plans. The ever-increasing risks related to compliance in a complex regulatory environment, and the standard benefits of good data governance, are causing many organizations to revisit some of these governance program elements. While 2018 saw a heavy focus on GDPR, 2019 may be a year of transformational governance projects as companies seek to reduce costs and compliance complexity by more precisely directing their use, management and protection of data.
The impact of GDPR has been significant, with more official guidance and enforcement decisions on the horizon. But the bigger story may be the pressures exerted on business processes by the combination of multiple data privacy and breach regulations, changing consumer expectations, and related B-to-B obligations. The next year may demonstrate how organizations are choosing to comply with GDPR while addressing these additional pressures.