You may not imagine consumer privacy protection as the epic tale of a great power struggle between scheming houses, but in the world of privacy professionals, a “Game of Thrones”-style drama has been underway, and the European Union is the fabled land of Westeros.
As anyone who watches the popular HBO series knows, themes of honor, loyalty, the nature of politics, and the corruptive potential of power are central to the show’s high-stakes plot. To sit on the “Iron Throne” is to rule the kingdoms of Westeros, and the price paid in its pursuit can be steep.
For the EU, consumer data is the Iron Throne, and the question of who rules will be defined in part by compliance with GDPR, aka the General Data Protection Regulation. GDPR is a sweeping regulation designed to “strengthen and unify data protection for all individuals in the EU” as well as govern “the export of personal data outside the EU.” Adopted in 2016, the horizon for its enforcement is rapidly approaching—May 25th, 2018. The time is nigh. As Ned Stark of House Stark says in the Game of Thrones series, “Winter is coming.” So it is with GDPR.
Every “house” who does business in the EU (or with its citizens) will be subject to GDPR. From the perspective of a privacy advocate, GDPR is one of the world’s most progressive international privacy protection efforts. Its definition of “personal data” and the scope of the regulation’s reach is designed to provide citizens of the EU more control over their information. With enforcement looming, companies need to understand how cold GDPR’s winter weather can be if they find themselves out of compliance.
Seeing Hard Truths
Transparency is a major component of GDPR, as is understanding data flows and the purpose for which data is collected, used and retained.
As Tyrion Lannister says to Jon Snow,
“people would prefer hard truths be ignored, but if the hard truth is embraced, it can never be used against you.”
Those who ignore the truth of GDPR and coming enforcement by regulators will face real consequences. Now is the time to embrace privacy, data governance, Privacy by Design, and the mindful collection and use of data.
Granted, no one has lost their head (yet!) over GDPR, but the sanctions for violations are enough to make compliance a must. When Ned Stark warns that “Winter is coming,” he means more than the challenging season opposite of summer. He’s also referring to the dreaded “White Walkers” from the Far North, and when it comes to GDPR the fines are enough to make any CFO pale. Failure to comply with GDPR could result in “a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.”
Where Family Loyalty Matters
Though teams within your company may have competing goals and objectives, the pending arrival of GDPR is a time to bring warring departments together. Protecting common company interests means collaborating to solve data governance issues. What’s more, GDPR is an opportunity to build trust with customers and protect their data by implementing Privacy by Design.
Create a functional privacy program under GDPR by working a sensible strategy:
1. Conduct a gap assessment to determine your current status of compliance.
2. Identify priority issues and align business owners to create accountability and responsibility within the organization.
3. Scope and implement any new functionality and associated business processes.
4. Monitor and audit compliance internally, so that your company can respond quickly to complaints or inquiries related to GDPR.
Choose “House Privacy”
There are resources available to help you in your battle. GDPR is a hot topic with the International Association of Privacy Professionals. I recently spoke on the topic of “Practical and Risk-Based GDPR Compliance in an Uncertain Environment” at the PSR 2017 conference in San Diego, CA. Many of the sessions contain links to the presentations from the conference. Additionally, I have written for IAPP on a strategic approach to vendor-management under the GDPR.
In “House Privacy” the individual and their right to privacy and sound data governance should always sit on the Iron Throne. Be prepared when GDPR arrives next year!