The General Data Protection Regulation also known as GDPR adopted by the EU aims to strengthen EU citizens’ rights regarding their personal data protection. While some institutions started with its’ implementation already, others still seem not to understand the extent and impact of the change both on their internal processes and systems, as well as their products. An upcoming series of articles will cover both basics of the regulation and opinions on possible best-case scenarios.

The Final Countdown

The law comes into effect on May 25th, 2018, which leaves the companies less than 100 working days to become compliant. As hints show, there will be no space for grace period. In the words of Steve Wood, the UK’s Information Commissioner’s Office Head of International Strategy and Intelligence the approach of UK authorities will be: “ … a common-sense, pragmatic approach to regulatory principles.” Despite that it is a sole authority of only a single country, we might expect most will follow the suite.

There’s no checklist of what companies must do or implement, to comply. Rather it defines, what is expected when storing or processing customer data. GDPR is not prescriptive by purpose. It does not tell you that you must do this or that when acquiring customer data over the web, call-center or mobile. For the sole purpose of future proofness and system & process agnosticity. To cut the very long story short, it stimulates the approach of “I will treat your data as your good neighbour” - i.e. will ask you to borrow it, will use it only for the purpose said and will give it back to you when they have used it for the extent agreed.

Often GDPR is perceived as a legal matter demanding an IT solution. This very minimalistic approach omits other, equally valid, dimensions. In fact, the change spans across all of the company's functions including, but not limited to Product Management, Sales, Marketing or HR. Simply anywhere, where customer (employee) data play a role. In the upcoming articles, we explore the specific issues and propose solutions to several of them.

Impact of Non-compliance

The decision not to comply might have substantial, perhaps devastating effects. A simple missed impact assessment might cost an organisation up to 2% of their global annual turnover or 10M Euro. Violating the core of Privacy by Design concepts or insufficient customer consent might, however lead to a fine of 4% of global annual turnover.

Important to keep in mind when implementing necessary measures is that these will be evaluated based on outcome, not the process. Ask yourself the question, “Will this measure really protect my customers’ data?” The good news is that, in our opinion, you can turn a proper GDPR implementation into your strategic competitive advantage.

In the upcoming part, the article will dive deeper into the fundamental principles for processing your data in GDPR compliant way as well into the rights of data subjects.