The media bubble surrounding the introduction of the GDPR in May 2018 included much hype and speculation about how the new data protection legislation would impact various industries. Few stopped to take stock of the fact that the ‘getting ready for GDPR’ seemed to be creating a micro-industry in and of itself. On the other hand, some said it was just that, a hyped-up bubble that would, like Y2K, simply disappear, once the deadline had passed.
The GDPR Industry
In the latter stages of 2017 and early 2018 some panic did start to set in, with companies scrambling to get on track for GDPR compliance. For large institutions this meant lawyering up to interpret the somewhat vague new data protection legislation, in order to review or even establish policies and procedures for the new compliance landscape. That is somewhat the point, such companies were unlikely to be starting from scratch as they were already required to comply with the pre-GDPR 1995 EU Data Protection Directive (DPD) and other privacy regulations and data security standards. For instance, if handling card payments they would also be familiar with ensuring compliance with the PCI DSS standards.
However, what caused the hype around GDPR was not the fact that it brought a somewhat stricter framework for protecting personal data than had existed under previous EU regulations, or that it shifted the requirement to prove compliance onto the organization rather than requiring the regulator to prove the opposite. What got the attention of the market, seem to be the fact that GDPR encompassed the potential for far stricter penalties – €20 million or 4% of annual turnover, whichever is the greatest.
If the intention of the fines was to direct the attention of organizations to their responsibilities under Data Protection regulations, then it certainly worked. Many organizations chose to validate their existing Data Protection Policies and Procedures and I suspect some found them wanting or non-existent even in relation to existing EU or even local legislation. As these larger organizations set about getting their house in order, smaller businesses and even sole traders were also seeking guidance, looking mostly to local and national government, and searching for online support. Predictably, where there is demand, supply follows. GDPR consultants and dedicated firms began to emerge. So too did a host of ‘GDPR entrepreneurs’, creating GDPR products and service offerings for businesses at all levels, from sophisticated tech platforms for managing large organizational compliance to out of the box template solutions.
The GDPR industry burst into life and even post deadline, every business topic seems to have a GDPR dimension, but will this so called GDPR industry survive and thrive? What exactly are it’s chances of thriving in the post-GDPR period? Personally, I would say that the emphasis on compliance to Data Protection and other privacy regulations will continue, but not as a hyped up topic, spreading falsehoods and rumor to scare businesses into compliance, but as a sensible methodology for evaluating what is reasonable, practical and of course legal when it comes to utilizing personal and sensitive data. Proper, considered and compliant use of such data will become the norm, and there will be a genuine need for expertise, systems and tools to assist organizations to evaluate, implement and most importantly demonstrate their compliance to the regulations in a manner that is appropriate for their business, the nature of the processed data and the sensitivities of the data subjects.
GDPR must be ‘business as usual’
For any organization processing personal data, GDPR is not a one-off program that has now passed, it is a serious business need that requires ongoing attention throughout the organization.
According to research published by Markets and Markets, the GDPR market is predicted to grow from $907.4m in 2018 to $2.7bn in 2023. Be sure, this isn’t just latecomers to the GDPR party. It represents ongoing facilitation of GDPR policy as part of ‘business as usual’ operations. The protection of personal data will also be compelled by increasing concerns and awareness about privacy and security in these increasingly digital times. Ongoing investment is needed to ensure no data breaches take place, and to demonstrate compliance with the GDPR. How then is this money best spent to future-proof your organisation?
Ongoing investment in GDPR Compliance
For me, it comes down to the nuts and bolts of GDPR compliance – people, policies and technology. The weakest link in any information security chain is always the humans involved. Investing in regular GDPR awareness training for employees of all levels is therefore critical. A laudable Privacy or Data Protection Policy that is not understood and followed through the organization will not serve anyone well in the event of a breach, a fine or other sanction from the regulator. These policies and procedures which provide the roadmap for collecting, controlling and processing personal data, need to be regularly assessed to ensure they remain fit for purpose as the business environment changes. If your people know and understand why and how they should comply, complying with the regulation is not difficult. While the digital world is at the heart of data protection and risk it also supports compliance. A simple intuitive GRC suite or integrated risk-management platform that everyone can access will be money well spent, once the right solution for your business can be found. These systems will need to expand and evolve, as the organisation changes the way it uses personal information to succeed in its mission.
The Future
The EU’s GDPR legislation is here to stay, and it does seem that it may be the harbinger of similar changes across the Atlantic and elsewhere. It seems likely, that the hype will die down, although a few high-profile breaches, fines or sanctions that impact on company performance may kick start it again. Ultimately, the cost and risk of a GDPR breach is too high for companies to ignore, so they must continue to invest in maintaining compliance. Thus, the GDPR economy will prevail.
