Current state of GDPR, part 1: two sources of fear
This article is split in three parts. The first part will discuss the current state of GDPR. The second part is about reasonable compliance and a risk-based approach for that. The third part collects some ideas how a long-term vision of data privacy can look like.
Short overview
Everyone should have heard of the General Data Protection Regulation (GDPR) by now and surprised by the strength of its hype in mid 2018 and its non-existence in public discussions now. GDPR can be roughly summarized by the pre-existing data protection regulations combined with draconic fines. And it applies to companies world wide if they target European customers.
Why was GDPR a big topic
Exactly those potential fines combined with a lack of clear guidance led to a surprisingly huge wave of public attention. But then on May 25, 2018 GDPR became active and people realized that the world is not going to stop. Supervisory authorities were said to start enforcing GDPR sometime later in 2018. With the immediate danger disappearing, the public attention declined rapidly. Though there’s still a strong source of fear around that even stifles innovation. To explain that we first need to look deeper at some basics.
What is over-compliance?
Let’s first look at different levels of GDPR compliance. For simplification, let’s assume that compliance is a one dimensional axis. On the one side you have clear non-compliance. The further you go to the right side, the higher the compliance. Though there’s neither a price for the best GDPR compliance nor an absolute definition of it. It depends a lot on your business and technical setup. Everything that’s not necessary and that you still do could be called over-compliance. And that causes additional costs and can easily be used as a counter-argument on new products. Next we’ll have a look at the sources for fear.
Two sources of fear
The obvious fear from GDPR was induced by the high potential fines from the supervisory authorities. Though that source is pretty empty right now, at least until first bigger fines were imposed.
The other source of fear is of private or internal nature. It’s based on contracts between companies or internal compliance programs. Those contracts could be between your startup and an investor or bigger customers. Internal compliance programs are usually rather existing in bigger corporations. You personally may have not a lot to gain from a specific new potential product that you could pursue, but a lot to lose if you don’t comply with company policies. That’s why GDPR is a pretty big topic in larger companies despite the lack of public presence.
Outlook and what to do as a company
So why is this the case? One big reason is the lack of best practices. So far it’s mainly lawyers that tell you what you need to do to be GDPR compliant. Though the job of a lawyer is to explain you what to do for full compliance, they can’t advise you on a middle-path. But exactly this middle-path is necessary to still have room for your company to prosper.
Don’t get me wrong. I’m a big fan of strong IT security. It’s quite annoying to regularly read about data leaks of gigantic datasets. The second part of this series will describe how such an approach of reasonable compliance can look like.
Also, most privacy experts are still expecting more substantial fines to be imposed in the first half of 2019, setting a precedence for the respective industry. So stay tuned.
Update February 21, 2019
The French supervisory authority CNIL just imposed a fine of 50 mio € on Google for its noncompliant Android user on-boarding flow. And several German supervisory authorities imposed about 41 fines on German companies. So that article’s conclusion can be basically rewritten.