Since the European General Data Protection Regulation (GDPR) was announced in April 2016, companies have had a two-year grace period to implement stronger data protection measures. Emails to consumers begging them to ‘keep in touch’ after May 25th, 2018 have been flooding inboxes, and GDPR is front page news. After this Friday, businesses potentially face steep fines and will have to answer to the European data protection authorities if they fail to comply with the new measures.
In this regulation-centric environment, it’s important for businesses to remember that the GDPR isn’t an end goal. Instead, it’s a stake in the ground – a position from which to start that will carry us through the coming decade with stronger consumer-focused privacy protection regimes to cover the use of personal data in ways we haven’t yet imagined or prepared for, with technologies that aren’t yet in the market. If GDPR and data protection is a journey, there’s a strong case to say that we’ve only just hit the road and that we are still far from our ultimate destination.
The roots of the regulation
The GDPR was developed to enhance the privacy of European data subjects and to simplify and harmonize the law around data protection within the EU. A new way of regulating the use and management of data was essential, both for consumers and for businesses. And the incumbent legislation (1998’s Data Protection Act, the UK’s interpretation of the EU’s Data Protection Directive of 1995) simply needed to adapt to the world we’re in now, having (quite understandably) not predicted the advent of big data and ubiquitous online social media platforms.
It has been reported that a significant number of businesses have been slow to take action or are taking a “wait and see” approach and the stats on GDPR readiness vary. But generally, most agree that as recently as Spring 2018, many or most companies were not prepared for the new legislation they’re going to have to work under. Smaller firms seem to be struggling the most, quite possibly because they lack the resources to hire a Data Protection Officer (DPO) or the ability to dedicate huge resources to coping with massive regulatory change and an uncertain enforcement climate.
The thing is that there’s no need for these businesses to be fearful of how the GDPR will affect them. Provided they’re making substantial demonstrable efforts to be compliant, it’s actually a big opportunity to get closer to customers, to differentiate themselves competitively, and to move quickly as new technologies emerge that require compliance.
At BlackBerry, this is the proactive approach we have undertaken to leverage our legacy in security and privacy. As the BlackBerry DPO, I’ve been working for some time with a strong and collaborative cross-functional legal and cybersecurity support team; we have kept good records and documentation of our compliance efforts, and we have updated our internal policies and processes to ensure privacy is embedded in our thinking; from how we develop our products to how we engage with our customers. These measures, amongst others, are designed to ensure that we’re compliant now, and can remain compliant in a future that’s both exciting and unpredictable; and which we believe will be defined by technological advancements that are still being developed.
Beyond May 2018
While the Data Protection Act of 1998 in the UK and its global equivalents may have not envisioned the way we now use data, they did reveal how unpredictable the technological future can be, and how rapid innovation and markets can evolve faster and in ways that can elude lawmakers’ best policy-making efforts. In the case of the GDPR, lessons do seem to have been learnt. The 99 articles of the legislation are future-proofed to a degree, in some of the more technology agnostic ways in which they protect data. Still, it’s conceivable that the contours of GDPR will continue to evolve to some degree through regulatory enforcement and guidance to accommodate what’s to come.
The GDPR has set a new regulatory standard for customer privacy and businesses must consider how new solutions they may deploy, whether those be product offerings or business practices, will stack up in terms of data security. They must remember that GDPR compliance today does not equate to GDPR compliance forever and that this month is the start of a process not the end of one. In essence, it’s a journey, not a destination.