After years of preparation, GDPR D-Day finally happens! Probably the most visible part of the General Data Protection Regulation (GDPR) enforcement is the hundreds of emails we have all received asking us to reconfirm we agree on receiving information from numerous companies, some we know quite well and want to remain in touch with, and others we have completely forgotten about. Next step is to see what is going to happen to our inbox in the next few days: will all spam stop instantly like magic? At least, if GDPR already leads to less cluttered email, it will already have been a success.
More globally, GDPR aims at bringing a healthier personal data governance and reinforcing general public consideration about the value of personal data. GDPR includes provisions covering consent, data portability, right to erasure, right to object to profiling, breach notification, data protection assessments, and data protection officers.
GDPR naturally applies to major companies which business is to manage and generate profits out of our personal data, like Facebook, Google and others, as well as millions of small enterprises that just keep a list of contacts and send them information every so often. While the new regulation aims at making the general public more conscious of personal data issues, it also results in an increasing workload, additional bureaucracy and, at the end of the day, additional costs, on the corporate side. According to Ernst & Young, the world’s 500 largest corporations will spend a total of US$ 7.8 billion (EUR 6.65 billion) to comply with GDPR.
A less visible part of GDPR is the obligation given to victims of a personal data breach to report breach notifications to the supervisory authority within 72 hours of becoming aware of the breach. Such an obligation was already existing in American law, now it is also present in Europe. The goal of such a regulation is, at the same time, to inform the general public about personal data issues and to lead companies dealing with personal data to set up more secure and more efficient data protection systems. This goes through the implementation of controls to help prevent and identify breaches and to permanently test network and data security.
Polls show that if SMEs see GDPR as a chore, larger organizations are considering it as an opportunity to have a healthier personal data management and to develop business models that will at the same time allow new opportunities based on personal data and be respectful of European regulations. As a starting point, GDPR has triggered an increased demand for Data Protection Officers (DPOs), up to needing 75,000 DPOs worldwide to comply with the new regulations, according to IAPP, the International Association of Privacy Professionals.
More globally, GDPR is a step on the path to EU Privacy Regulation (ePR), which aims at recognizing protection of personal data as a basic right and part of the European Charter of Human Rights. As GDPR covers not only European companies, but also any non-European organization dealing with personal data of European citizens, we can expect GDPR rules enforcement to spread worldwide. This way GDPR is an instrument of soft power in the ongoing battle for world influence between the EU, the US and Asian powers.