No two predictions about the effects of GDPR are the same.
When I attended the MER (Managing Electronic Record) conference in Chicago earlier this month, I was floored by the sheer number of predictions by speakers and attendees about what would happen to businesses after GDPR, Europe’s Global Data Protection Regulation, was to have come into force in Europe on May 25.
Everyone seems to have a prediction. Amazingly, many of the predictions run counter to one another! If someone tells you they know what’s going to happen as GDPR comes into force, they’re just flat-out dreaming.
The best way to tackle GDPR is with good information governance.
One thing is certain: getting back to the basics of good information governance will help organizations become prepared for any scenario. As I wrote late last year in How to Make It Easier to Comply with GDPR, it’s critical to do the fundamentals well.
Some people believe small companies are more vulnerable to GDPR fines; others believe large companies are more vulnerable.
Here are some of the predictions that I heard, in no particular order. Some are possible; others seemed a little farfetched:
1. The Small Fry Scenario. European regulators will be starved for revenue that will come from enforcement. That means, said some soothsayers, enforcement will fall disproportionately on smaller organizations. Their thinking is that smaller organizations won’t have the resources to fight the audits; they’ll accept the fines. And the regulators get a stream of income.
2. The Big Fry Scenario. Others at MER had the complete opposite view. Their take was that regulators will go after the very big, visible fish. That means large multinationals and name brand enterprises. They believe, too, that they’ll go after the tech giants, such as Facebook, Google or Amazon, that own and use an avalanche of consumer information.
Because GDPR adds to existing regulations, European companies are better prepared than American ones.
3. The All Companies Are Affected Theory. Many GDPR watchers aren’t aware that there have been predecessor regulations—some go back more than 40 years—that ensured privacy and access before the EU published the current GDPR regulations.
GDPR goes several steps further than the old rules, of course, by codifying possible fines, which look large and overbearing if they reach the 4% of annual revenue maximum. If you were a European company, then you’re presumably fine. For those folks, it’s not that much of a change.
Will GDPR regulators ignore "fringe" cases where the company has very little business in Europe?
4. The Barely-in-Europe Scenario. Others predicted that regulators won’t go after “fringe cases.” These people believe regulators will leave companies alone if they have just a few dozen EU records or customers. This theory holds that these organizations won’t be actively pursued by the regulatory bodies.
Some of the people who hold this opinion predicted that some companies may take a risk and not comply to GDPR standards just for the sake of a handful of records. While we don’t agree with a head-in-the-sand approach, it is true that spending the money to adhere to a regulation is a business decision. Though risky, it could it cost you more to comply. Net-net you need to understand the risk your information presents.
5. The No Maximums Imposed Theory. Regulators will not “go all the way” with fines. The maximum fines—up to €20 million or 4% of revenue, whichever is greater—simply won’t be imposed. Adherents to this give-‘em-a-break theory may just be practicing wishful thinking. Again, the truth is that no one knows what’s going to happen.
Some observers believe that GDPR will encourage too frequent DSAR requests.
6. The Cyber Attack Scenario. I heard someone theorizing that bad actors—or even competitors—could overwhelm companies with automated data subject access requests. If the requests become too frequent and onerous, DSAR requests then turn in to denial of service attacks. If you don’t respond quickly enough, the enterprise is threatened with getting reported to the regulatory bodies.
DSAR as DoS cyber attack is, I suppose, theoretically possible, especially if you’re a state-run or government-sponsored business. But I have to believe that adherents to this prediction are just entertaining conspiracy theories. And conspiracy theories quickly turn into rabbit holes.
Arguments for and against a U.S. national GDPR-type law.
7. The US is Next. Quite a few people predict that we’ll see a GDPR-like regulation in the United States within the next four years. They think that there may be federal laws or regulations that will mimic European rules.
I don’t agree. From a cultural perspective, the US takes a very different view of privacy. We don’t have the same history of living under authoritarian regimes as do the Germans, Italians, Spanish, Portuguese and citizens of many central European countries. That’s one reason Europeans culturally are more concerned with privacy.
As I recently wrote about in Is GDPR Even Needed in the U.S.? American companies are beginning to self-regulate in light of the mega-breaches and the Facebook-Cambridge Analytica fiasco. The on-going reality for any company, with any European connections, is that you need to comply with GDPR. It doesn’t matter if you have to comply with GDPR today or GDPR-like regulations in the future, transparency, privacy and acess will continue to be important. Everyone will have to start dealing with the spirit of GDPR.
The most effective preparation for GDPR is good, basic information governance.
That brings us back to most effective preparation for GDPR, whichever prediction comes true: You need good, basic information governance. Know what type of data you have, where it’s being stored, and how you can start to get rid of it (if possible according to legal or regulatory considerations). See my late 2017 blog post, Retention and Sensitive Data Identification. Be sure you have the right resources in place to manage the information, and that your policies are aligned throughout the organization.
Act quickly and effectively when you find a breach of customer data. Employ the right tools for discovery and to remediate the data that you want to delete or archive.
I don’t know about you, but I’m curious to see if any of these predictions will come to pass. We have to see. Remember all those predictions leading up to Y2K?