GDPR: Where are we now? And what happens next? by Jean-Christophe Gaillard

Quite a lot will now go down to the regulator’s appetite

So … May 25th came and went, quickly followed by the football world cup and a heatwave which wrecked most of Europe and many other parts of the world …

Around GDPR, bureaucracy claimed birthrights over the act and things went back to normal: Snake oil vendors packed their stalls and alleged experts headed for the beach … The anti-climax was predictable, and we are still going through that phase where all players are expecting regulators to set their first fines and wondering “where the big one is going to come from”.

Of course, a few activists lodged the complaints they had been preparing for years against US tech majors, and anecdotal evidence suggests that breaches are being reported and the regulation is being exercised.

But looking beyond the mundane activities of the past few months, there are 3 observations starting to emerge, which do not paint a pleasant picture:

Confusion clearly reigned amongst marketing communities during the few weeks leading to May 25th

Everybody’s mailbox – personal and professional – was flooded by countless emails seeking some form of GDPR consent: Some were asking for an opt-in, others offering an opt-out and many were just pushing some form of updated “privacy policy”.

It was at first laughable then it became annoying. And it created panic for many management teams: Are we doing the right thing? Why are we asking for an opt-out while the competition is asking for an opt-in?

In reality, this absolute shambles shows the extent to which the GDPR was misunderstood and misinterpreted by snake oil vendors and alleged experts.

If this is any measure of the level at which compliance measures have been applied, many firms – large and small – could wake up with surprises at the first hurdle.

More generally, the GDPR has put the topic of personal data on the Board agenda in many large firms, but it has not been the catalyst for change it could have been.

The whole topic was broadly treated as another compliance exercise and left in the hands of Legal or Marketing teams. It has been seen as a “box-checking” project, not an opportunity to approach personal data differently and change cultural and ethical attitudes towards data.

Teams at the periphery of the exercise – IT and Security teams in particular – have generally failed to capitalise on the matter and could end up marginalised further as a result.

In spite of the tens of millions spent over the past few years on GDPR compliance, many large firms have failed to see it as a truly transversal matter and have not taken the opportunity to build a transversal governance capability around data privacy: It could end up costing them dear.

In spite of all the hype and the media agitation of the last quarter, many organizations have not yet done anything significant around GDPR compliance or are just starting.

Some have made the deliberate decision to “wait-and-see”; some have been scared by the compliance costs; some have woken up too late and are still in the process of building up business cases and operational capabilities; some are just too dysfunctional to reach a decision on something that complex.

Many of those firms do handle personal data, however – some on a large scale – and are probably the real cases on which the authority of the regulators should be tested.

Even in large firms that have acted on the matter over the past 2 years, many large-scale GDPR compliance projects started late and are still going on, but at some stage – probably at year-end – management is going to turn off the money tap: What will happen then?

As we pointed out in February, quite a lot will now go down to the regulator’s appetite.

In fact, they have a difficult hand to play: If they are inconsistent, too heavy-handed or too lenient, focus only on the GAFA, or pick the wrong battles with small firms, they will dilute the act, endanger their credibility and lose momentum.

In essence, the ball is in their court. They have been asking for more powers for the best part of the last decade, but if they wait for too long before acting significantly, this may well turn out to be the new Y2K in the end…

 

The Business Transformation Network has posted this article in partnership with Corix Partners.

----------------------------------

Jean-Christophe Gaillard is Founder and Managing Director of Corix Partners

He is a senior executive and a team builder with over 25 years of experience developed in several global financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.

A French national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris Tech and has been co-president of the Cyber Security group of the Telecom Paris Tech alumni association since May 2016.

He runs the Corix Partners blog and contributes regularly on the CIO Water Cooler, and has previously published articles on, InfoSecurity Magazine,  Computing, the C-Suite.co.uk, Info Sec Buzz and the IoD Director websites. He was listed in the top 10 of UK 30 most influential thought leaders on Risk, RegTech and Compliance by Thomson Reuters in April 2017.