Unless you have been on vacation with no wi-fi for the last 12 months, you have probably heard all about GDPR — the European Union’s General Data Protection Regulation. GDPR has been summed up in many ways: the “2018 regulation of the year”; an example of the so-called “Brussels effect”, or simply a headache for the compliance department. On the other hand, the European Data Protection legislation is often regarded as the “evil twin” or the “deal breaker”. Whereas its lesser-known little brother, the Regulation 2018/1807 on free flow of non-personal data, is regarded as the “good guy” or the regulation that allows everything without sanctions.

While it is true that the GDPR can be quite harsh – the (in)famous 2-4% fines or the order from the relevant Data Protection Authority (DPA) to stop certain processing – some myths around the GDPR should be debunked to understand the full potential of it. One year later the DPAs are on the move. After an initial period of uncertainty and relatively small fines, the DPAs have recently decided to step up. Two current cases in front of the United Kingdom’s DPA, the ICO, involve fines of around €300m. There is also the famous €50m fine issued to Google, which is currently in a proceeding with the French Authority, the CNIL. But this should not be seen as a time to panic.

Setting the record straight

A common misconception is that GDPR is a costly burden and nothing more. One should never forget that GDPR is just one part of the digital strategy of the European Union and its aim is to both protect the rights of people and to foster business and credibility in the Common Market. So, in reality, it can be hard to imagine any benefits and revenues from mere compliance.

First of all, GDPR is creating a regime for the free flow of personal data inside the EU. When a company’s records are ready and safeguards are in place, it does not matter where the processing happens, be it Lisbon, Helsinki, Tallinn or Valletta. This allows a company to set its activities where it is more convenient and there are at least 27 possibilities. But this is just the start. Thanks to the possibility of the European Commission to declare a country, so-to-speak, “data protection safe”, by means of an adequacy decision, the data can be freely moved and processed in such other country. Currently it is possible to freely move data to Japan, New Zealand, Canada, Israel and Switzerland. More will follow – the EU is negotiating treaties with, among others, Australia, Mexico and the Southern American organisation, Mercosur. All of these could possibly lead to enormous business opportunities.

Second, most misinterpretations of GDPR are based on one fundamental mistake: even if GDPR was drafted with huge American corporations in mind – the so-called GAFAM, Google, Amazon, Facebook, Apple and Microsoft – it does not treat everyone at the same level. GDPR stresses the importance of “reasonable steps/measures/means”, “appropriate safeguards” or “taking account of the size”. These wordings were not randomly conceived by some malicious bureaucrat. They are intended to graduate the provisions according to the size and activities: if a corporation needs to implement, for example, the ISO/ANSI 27001 standard, an SME can apply an ordinary, up-to-date security measure. If a large organisation should have a privacy policy, most of the SMEs need clear contracts and their staff to be well-trained. Such balancing should be the key.

Another interesting side effect is that GDPR can allow companies to save money. The idea, for example, behind the storage limitation principle is that, if data is no longer needed, it is more convenient to delete it. Large amounts of data are not usually useful for a company and they can be expensive to maintain, both live data and backups. GDPR requests companies to assess what they do, what they need and for how long, it gives the possibility to review and cut inefficiencies.

Lastly, a growing market of interesting services is emerging. There are companies dealing with software and cybersecurity which, working together with the more traditional legal firm, offer services that would put into practice the notion of privacy-by-default and by-design. Even the secondary market is booming: there are insurance companies that offer the possibility to companies to become cyber-insured against GDPR fines and compliance. This vibrant environment of merging companies, cooperating industries or joint ventures will be able to cross different sectors, from banks to telecommunication and from media to finance.

In conclusion, it could be useful to think about the recent exploit of a security service provider like TrustArc during just one round of funding, where they were able to raise $70m. GDPR can be a friend or a foe, and the attitude with which you approach it will determine the outcome. If a company is looking for solutions, with the right guidance, it will find them. Because good things come when least expected, even from compliance.

Leave a Reply

Your email address will not be published. Required fields are marked *