The GDPR Transformation is Already Here

The General Data Protection Regulation (GDPR) effective date is just about a year out, but already we can see the work companies are doing to achieve compliance having a significant impact on the privacy landscape here in the United States.

I had a great opportunity to gauge exactly how this is happening while attending the annual Global Privacy Summit hosted by the International Association of Privacy Professionals (IAPP) in Washington, D.C.

It took some time to work past the overall lament that talk of the GDPR was dominating the conference. Once I did, though, it became clear that people from across a truly wide range of organizations were using the prod of coming GDPR compliance to systematically and rigorously integrate improved data protection into the very core of their operations. Whether they were just starting on data mapping or policy creation; had ventured into the woods of data classification schemes and Privacy Impact Assessments; or were implementing a Privacy by Design model, the people I spoke to reported a higher level of engagement with privacy, and a deeper understanding of the way data flows throughout their organization, than ever before.

With a year to go before the GDPR gets real, many people are still getting started. But many I spoke with reported high levels of involvement in privacy-impacted work across multiple levels of the organization. This included executives down through middle management and into the corners of product development, marketing, and more.

Today, this organizational involvement with privacy may be centered on those involved in implementing and enforcing privacy policies, but this isolation will not last. Organizational methodologies like Privacy by Design will make their influence felt in many ways. As the privacy pros within an organization begin to provide training and communications to employee populations, we will see more and more employees practicing good data protection behaviors. In short, I believe that we will see more companies develop a true culture around data protection.

But the cultural changes wrought by the GDPR will not stop at the doors of those companies who need to comply because they handle the data of EU citizens. As the larger, global companies start employing higher standards for data protection, this will create a ripple effect as they compel their vendor communities and suppliers to follow suit. Moreover, their influence will cause competitors to reshape their own approach to privacy to better reflect what should soon become the standard by which all responsible companies are judged.

Given the paralysis in our national legislative bodies, I can’t imagine that the United States will embrace any national policy or regulation around data protection (nor am I even sure they should). But it won’t matter, because we’ve already begun the slow but inexorable incorporation of better data protection practices into the American landscape. For those interested in protecting personal information, this is positive news indeed.