Two years ago, when the European Commission approved the GDPR and set an effective date for May 25, 2018, I thought “that is such a long time to wait.”  It was a choice out of keeping with American legislative methods, where Congress passes a law and maybe gives an effective date of the following January 1, but for the most part creates laws to go into effect now.  It was also a choice that was, I knew, designed to give companies and regulators sufficient time to prepare for the Regulation.

And it almost was! Sort of! Not really!

To be fair, as we discussed yesterday, there isn’t really a way to say “now we are ready” when it comes to the GDPR.  The honest appraisal may be “we feel like we’re compliant,” but given the total uncertainty surrounding the Regulation, it would be nearly impossible to be confident of an A+ from regulators.  That, in no small part, is because the regulators themselves are not ready.

What is more important, then, is the approach that you take to compliance.  I am not, by any means, suggesting that you should aim for anything less than 100% adherence to the requirements in the Regulation.  That has to be the goal.  But the regulators themselves have said that this regulatory regime is not about checking boxes (although, in one literal sense, it is).  Instead, compliance with the GDPR is about implementing an approach to data collection, use and transfer that respects the data subject’s rights.

For me, that boils down to three central factors: transparency, security, consistency.  We’re going to spend the coming week examining all three.

Transparency

In many ways, transparency is the animating principle behind the GDPR.  EU leadership has repeatedly talked about the “trust deficit” and why they believe that the GDPR is aimed at restoring public confidence in the security of their information.  That premise was confirmed in the wake of the Cambridge Analytica affair, when DPAs across the Union emphasized that, even if Facebook had not done anything illegal, the opacity of their process was a substantial concern, and one that the GDPR aimed at preventing.

That’s all fine from a philosophical standpoint, but what does transparency mean in practical terms?  Essentially, it is about telling your users/customers what you will do with their data and why.  The easiest way to demonstrate the change is by looking at privacy policies.  To me, these policies have been a lot like middle school fads, in that as soon as businesses identified what seemed to be a good policy, everyone blindly copied and pasted the model, even if it included language that was totally inapplicable.  (You know who you are.)

Now, things have changed, and you must identify a) what data you collect, b) why you collect it, c) what you do with it, d) who you share it with, and e) why.  Is it the case that every user will now scour the privacy policy to learn this information? Of course not.  But the GDPR is not really about user behavior, it’s about controllers and processors.  The goal is to change the way companies approach data, even if the public never recognizes the difference.  Indeed, in the light of public disinterest, it might be even more important for companies to be transparent, because it will be an (involuntary) safeguard against abuse.

Transparency also means that you have to keep detailed, thorough records of your processing.  Not only are these records subject to review by the regulators, under the GDPR, data subjects are more empowered than ever to review or correct their data and to restrict or object to its processing.  Adequate record-keeping is an essential component of responding to those requests, and is the most important aspect of demonstrating that what you have promised to do with the data is what you have actually done.  To paraphrase, when it comes to creating a paper trail, the life you save may be your own.