If you think the GDPR sucks…

… Well, too bad, because it’s real, the fines are big, it will be enforced globally, and it’s probably not going anywhere. In all likelihood, other geographical regions will eventually adopt data regulations of their own.

If you are slowly, grudgingly, painstakingly working to comply, and even the mention of GDPR leaves a bitter taste in your mouth, this blog is for you! I’m here to tell you why the GDPR does not suck, or maybe why it sucks less than you think.

But first, for those that don’t know, GDPR stands for General Data Protection Regulation, and it regulates the processing of personal data of European citizens. It applies to organizations both inside and outside the European Union (EU) that process personal data of EU citizens. It was written and approved by the EU Parliament and takes the place of the 1995 Data Protection Directive 95/46/EC.

To comply, organizations will need to audit and map their data extensively, find a legal basis for processing personal data, make sure partners and third party processors are compliant, provide certain information to data subjects, possibly hire a data protection officer, perform data protection impact assessments, and much more.

Why The GDPR Does Not Suck

Here’s the biggest reason: just like everything else in the world, if personal data is not regulated, it will be handled carelessly and abused without consequences.

Food, medicine, houses, roads, water, trade, land, cars, etc. It’s all regulated. If people, organizations, and governments could do exactly what they wanted without consequence the world would be a less pleasant and more volatile place to live. Think of the 2008 financial crisis where unregulated banks took bigger and bigger risks, eventually crippling the world’s economy.

Or take the fact that DNA testing companies, such as 23andMe and AncestryDNA, sell people’s DNA profiles to pharmaceutical companies that use the data for target advertising. A scarier prospect is that life insurance companies could use the results to determine insurance prices depending on people’s risk for developing medical conditions.  

Regulations make this world a better place. For example, property owners on the Maine coast cannot cut trees within a certain distance of the water so people can continue to enjoy an unspoiled coastline; nutrition facts must be labeled on food packaging so we know what we’re eating; and drugs are tested for years before hitting shelves so we know they’re safe. Etc, etc.

Just like everything else, personal data needs to be regulated. The personally identifiable data that the GDPR regulates are the information and numbers that define individuals, and it can have serious implications if misused or abused.

“Ok, but the GDPR is still complex and confusing…”

I don’t expect many to have a problem with the principle of regulating data, but there are certainly critics that think the GDPR is too broad, complex, incomplete, or confusing. And they’re right! But it’s not too broad or complex to prevent people from doing anything! Companies all over the world are working to comply and if you peruse the Web enough you’ll find the same steps to compliance everywhere.

And don’t forget we’re talking about a comprehensive, globally enforced, data privacy regulation. The inherent complexity of the subject combined with the need for a broad, full-scope regulation was never going to yield a simple, step-by-step process that each and every company could follow to comply.

For this reason, I don’t think we can be hypercritical. Our collective attitude should be that of a card player. We’ve been dealt a hand and now we have to play it. Although we can offer constructive criticism to the arguably inept dealer, no amount of whining and moaning will change anything.

Turn An Obstacle Into Opportunity

What I suggest is turn the GDPR into an opportunity. My colleague Stephen Smith, in his most recent blog, predicts the GDPR’s fines and penalties “will provide a catalyst to cleaning up and organizing data in general” and “give internal organizations the political muscle to make headway on achieving a single version of the truth.” CDOs, BI directors, and other data leaders ought to use the GDPR to push needed change in their organizations, such as developing a new data architecture or data governance strategy.

Summary

The GDPR is necessary. It’s lunacy not to regulate data. However, regulating data is complex, and the GDPR is not perfect. But neither of those facts makes complying impossible. Until further notice, we should play the cards we’ve been dealt and turn GDPR into an opportunity to drive change in our organizations. If you still think the GDPR sucks, think of it as the data version of the Golden Rule: treat others’ data as you would like yours to be treated.

To-dos for Compliance 

Looking for concrete steps to take towards compliance? This list will get you started.

• Understand the law – read it
• Ensure you have the proper safeguards and data protection measures in place; perform a security risk assessment.
• Update your privacy policy
• Update your cookie privacy
• Ensure data subjects have a way to submit requests
• Ensure you can act on requests to change, delete, or send data
• Find out how you collect data, where all your data is, and what data you have and who has access to it
• Find a legal basis for all the data you store and process
• Write a data breach procedure
• Designate or hire someone as a data protection officer