It has been amazing to watch the GDPR grip public attention in a way that no data security or privacy law ever has. I mean, when GQ is writing articles about it, you know something big is going on. The coverage has ranged from the thoughtful to the paranoid, and most of it really misses the central issues of lawful processing, transparency, and security. But it does make great copy, and what news outlet could resist driving readership by doing cheesy marketing ploys like countdowns and clickbait titles?
The media hype reflects what is going on in businesses worldwide. The concern over GDPR has lead to something of a cottage industry for companies promising that they can solve all of your GDPR ills and get you across the finish line. What that means is entirely unclear, given that a) no one really knows how the GDPR is going to be enforced, and b) the sheer scope of work necessary to comply with the Regulation means that it takes commitment and input from the company itself in order to actually be compliant.
What all of this really reminds me of is wedding planning. Think about it. The big day is in late May, there was a huge amount of time to get ready, no one is even close to being ready with eight days to go, everyone is freaking out, the preparations are way more expensive than you planned, and now you’re thinking of just eloping.
Nobody does extended metaphors (or glib) like we do, but this metaphor happens to be a good one, because it identifies a visible and a hidden truth in the GDPR. The visible truth is that everyone is scrambling to prepare for GDPR, hoping that they’ll reach May 25th with at least a passable claim at being compliant.
The hidden truth is that the obsession with next Friday misses the point. A wedding is very important, but it is only the beginning: it is the marriage that really counts. The important work only begins after the ceremony is over. That’s the truth for the GDPR as well. In our haste to get past the effective date, many companies are ignoring the reality that compliance is not a snapshot of what you did in mid-2018, but rather how your operations are structured and carried out in the future. Businesses will need to comply with the GDPR for years, decades even. The excessive focus on May 25th alone disguises how important long term planning is.
An alternative approach to this is to see the starting date as the starting point. It is extremely unlikely that you will be able to go from zero to GDPR ready in the next 184 hours, and it would be counterproductive to try. Instead, think of May 25th as the date on which you need to demonstrably devote resources and time to privacy, transparency, and consistency in your data processing. Spend the next days outlining your plans, identifying your team members who can best lead the effort, and commit to devoting the time and resources you can.
Accept that changes, small and large, are going to be necessary to implement your new approach, and that it will not be a simple question of what you’ve done to prepare for a single day. Then, when May 25 comes, treat it as the beginning of your new approach to privacy, the start of something new. It may be a daunting prospect, but like anything meant to last, it starts with commitment and it takes consistency. And maybe even some enthusiasm. Eight days to go – are we ready yet?