GDPR: It's here, so what happens now?

What does GDPR really mean for consumers and business? And will those giant fines really happen?
Written by Danny Palmer, Senior Writer

It's finally here. After years of preparation and planning, on 25 May the General Data Protection Regulation (GDPR) comes into force across the European Union, with implications for individuals and businesses in the region and beyond.

While -- in theory -- work towards becoming GDPR compliant has been going on behind the scenes for some time, the impact has become more obvious in the last few weeks as organisations send out emails to customers detailing new privacy policies which come into force with GDPR and asking for their continued consent to use their data.

At its core, the regulations are designed to reflect the world we're living in now, and bring laws and obligations around personal data, privacy and consent across Europe up to speed for the internet-connected age.

Organisations must be compliant with the legislation and in the event of a data breach and let customers -- and the regulators -- know that the data has been accessed or lost within 72 hours. Those found to be non-compliant if found to misuse, exploit, lose, or otherwise mishandle personal data could face fines.

See: IT pro's guide to GDPR readiness (free PDF)

But despite GDPR being something which organisations have known is approaching for some time, some still aren't ready for it to be in effect.

"I'm not sure if everyone got their heads around the size of the task. We're finding that there's an appetite to comply, but they don't realise the size of the task and what that means, what good privacy practice takes to flow through an organisation," Emma Wright, commercial technology partner at law firm Kemp Little told ZDNet.

Large organisations have found preparing for GDPR to be challenging enough, but for small and medium sized businesses, it has proven even trickier -- to such an extent that some SMEs are being forced to cherry-pick the parts of GDPR deemed to be most important to comply with.

"They're still struggling to get everything done. They're being tactical, looking at the priorities, for example, making sure public-facing policies are rolled out, breach-management procedures are sorted out," Luther Teng, risk advisory senior manager at EY told ZDNet. "Companies are still scrambling around in preparation for compliance".

But even those organisations which feel as if they're prepared for GDPR can't rest on their laurels: as practices and technologies change, businesses will need to ensure they're acting within the law.

"You'd expect people to carry on with their preparations, so the overwhelming logic is businesses will carry on trying to prepare, improve themselves and get ready," Stewart Room, lead partner for GDPR and data protection at PwC told ZDNet.

"Because if people regard May 25 as a finishing line, that's an error: this is a perpetual legal regime which will require constant work and improvement".

See also: What is GDPR? Everything you need to know about the new general data protection regulations

Companies learning how to deal with GDPR in real time could even result in too much caution, with organisations potentially detailing breaches and incidents that don't actually need reporting to regulatory bodies like the Information Commissioner's Office.

"When a new environment of transparency kicks in as law, there's a tendency to over-comply," said Room.

Through nervousness of what the regulatory system is about and what it means, organisations may default to a risk-averse position and therefore notify things they may not notify in a years' time when they get a better understanding of the legal environment in which they're operating.

"Breach notification could go through the roof, with more investigations, fines and compensation claims," he added.

It won't just be organisations who are testing the waters of GDPR: there are individuals who are keen to ensure they take advantage of the new rights they have over data.

"Going forward, people will have a lot more control over how their data is processed and used and they may want to know everything you do with their data," said Teng. "What you'll find is a bunch of people will want to kick the tyres and test the system to raise to the ICO how companies aren't compliant".

Organisations shouldn't be living in fear about what they're doing with data -- at least if what they're doing is above board; indeed, they should be able to take GDPR and run with it as a new way of interacting and doing business with customers.

"This is an opportunity to inform customers and become more transparent and in some ways build a more meaningful communications channel," said Wright.

"Some are seeing it as a real opportunity for their brand, that the trust and integrity around data will support their brand and make their brand seem more transparent and trustworthy - that's a real opportunity."

Nonetheless, because of the very nature of GDPR and the reporting of security incidents which have now become an obligation, there will now be a rise in disclosed breaches -- because those organisations which don't disclose them risk a huge fine and reputational damage.

"Just in the very nature of the law expanding in scope, we'll see a massive increase in the number of breach notifications," said Room.

While some organisations might have tried to sweep an incident under the rug in the past, now "you have to air your dirty laundry in public and do it within 72 hours" said Teng.

See also: GDPR compliant? Here's a handy five-step preparation checklist

Eventually, someone will get fined for non-compliance: but don't expect it to be any time soon, because even if an organisation revealed a breach on May 25 and is eventually found to be non-compliant -- the whole process will take months, or even up to a year.

"Due process as a matter of law means it'll be many months before we see GDPR fines because you can't just accelerate this to a point of immediate effect because legal due process will fail and the fine can be challenged. The fastest mechanisms still have systems which take months to go through," said Room.

Nonetheless, the fines and penalties are there to be used and organisations found to be non-compliant following a breach should be prepared to face them -- and regulatory authorities should be prepared to hand them out.

"It's a warning stick. The European Commission has stressed that fines are applicable to most breaches and that data protection authorities should be prepared to issue them," said Wright.

The four percent of global turnover figure looms large when it comes to discussions about GDPR financial penalties, something Teng described as "the doomsday scenario" -- but it could become reality if an organisation is viewed to be completely and totally negligent.

"The reality is not all organisations can say I'm compliant in all areas, but if there's a breach and regulators step in they'll look to see if you have the minimum controls in. But the four percent is a big stick, but will only be dished up for organisations with nothing in place," he said.

For some, it could mean going back to square one because many organisations who've purchased data through brokers or aggregator services can't be certain that consent has ever been given. Deleting the data might be painful, but in the long run it is worth it to avoid being viewed as non-compliant.

"It's all about taking the risk-based approach. With some companies at top level, management has decided it's probably best, if they don't have consent, to delete it and start again, that the fine isn't worth paying for," said Teng.

But when it comes to fines, the regulatory authorities might find they need to act sooner rather than later, because people have been told they're coming -- so if organisations are seen to get off lightly, it might undermine the whole legislation.

"If a regulatory system doesn't start to deliver, people might think it was all hype then stop investing and not bother with this anymore, leading to weakened data protections," said Room. "If data protection bodies give the impression that this is a pointless exercise, then people will treat it as if it is."

Ultimately, the enforcement of GDPR is going to be a learning experience for all involved -- individuals, organisations and the regulators -- following May 25.

"Everyone knows May 25 is the date," said Wright. "Because the fines change significantly, that's the main difference between pre and post-May 25 at this point".

Put simply, now that GDPR has arrived it isn't the end -- it's a new era of data privacy wherein organisations will have to constantly reevaluate data security and the consequences for failures. The GDPR journey is just beginning.


Editorial standards