GDPR: Where are we now? And what happens next?
Quite a lot will now go down to the regulator’s appetite
So … May 25th came and went, quickly followed by the football world cup and a heatwave which wrecked most of Europe and many other parts of the world …
Around the GDPR, bureaucracy claimed its birth rights over the act and things went back to normal: Snake oil vendors packed their stalls and alleged experts headed for the beach … The anti-climax was predictable, and we are still going through that phase where all players are expecting regulators to set their first fines and wondering “where the big one is going to come from”.
Of course, a few activists lodged the complaints they had been preparing for years against US tech majors, and anecdotal evidence suggests that breaches are being reported and the regulation is being exercised.
But looking beyond the mundane activities of the past few months, there are 3 observations starting to emerge, which do not paint a pleasant picture:
Confusion clearly reigned amongst marketing communities during the few weeks leading to May 25th
It was at first laughable then it became annoying. And it created panic for many management teams: Are we doing the right thing? Why are we asking for an opt-out while the competition is asking for an opt-in?
In reality, this absolute shambles shows the extent to which the GDPR was misunderstood and misinterpreted by snake oil vendors and alleged experts.
If this is any measure of the level at which compliance measures have been applied, many firms – large and small – could wake up with surprises at the first hurdle.
More generally, the GDPR has put the topic of personal data on the Board agenda in many large firms, but it has not been the catalyst for change it could have been.
The whole topic was broadly treated as another compliance exercise and left in the hands of Legal or Marketing teams. It has been seen as a “box-checking” project, not an opportunity to approach personal data differently and change cultural and ethical attitudes towards data.
Teams at the periphery of the exercise – IT and Security teams in particular – have generally failed to capitalise on the matter and could end up marginalised further as a result.
In spite of the tens of millions spent over the past few years on GDPR compliance, many large firms have failed to see it as a truly transversal matter and have not taken the opportunity to build a transversal governance capability around data privacy: It could end up costing them dear.
In spite of all the hype and the media agitation of the last quarter, many organizations have not yet done anything significant around GDPR compliance or are just starting.
Some have made the deliberate decision to “wait-and-see”; some have been scared by the compliance costs; some have woken up too late and are still in the process of building up business cases and operational capabilities; some are just too dysfunctional to reach a decision on something that complex.
Many of those firms do handle personal data however – some on a large scale – and are probably the real cases on which the authority of the regulators should be tested.
Even in large firms that have acted on the matter over the past 2 years, many large scale GDPR compliance projects started late and are still going on, but at some stage – probably at year end – management is going to turn off the money tap: What will happen then?
As we pointed out in February, quite a lot will now go down to the regulator’s appetite.
In fact, they have a difficult hand to play: If they are inconsistent, too heavy-handed or too lenient, focus only on the GAFA, or pick the wrong battles with small firms, they will dilute the act, endanger their credibility and lose momentum.
In essence, the ball is in their court. They have been asking for more powers for the best part of the last decade, but if they wait for too long before acting significantly, this may well turn out to be the new Y2K in the end…