And so, at long last, the GDPR is the law, and we leave behind the relatively lower standards under the Data Protection Directive. The Directive, which has been on the books for more than two decades, now passes into obsolescence, like beepers or, in Miami, traffic laws. Now, we’ll all start to learn what the GDPR means in practice, though I have no doubt it will be a process that unfolds over years, and not right away.
I note the move from the Directive to the Regulation for a reason. Although the European project to regulate and protect the privacy of natural persons has been around for some time (almost 40 years!), the Data Protection Directive was the most comprehensive effort achievable at the time of its implementation. Unfortunately, it could not match the high expectations privacy advocates had, primarily because it was only a Directive (which requires each Member State of the EU to implement and monitor its requirements) and not a Regulation (which is directly applicable law). To translate that legalese into normal language, the Directive was applied, and enforced, inconsistently, with Member States disagreeing widely on what to do with personal data.
The GDPR is meant to correct that shortcoming, which brings us to the third, final, and broadest pillar of the Regulation: consistency. It is a concept that applies with equal force to controllers and processors on the one side and the governments and agencies that regulate them on the other. Consistency is, in many ways, the value criterion by which all GDPR compliance efforts will be measured.
Indeed, our transparency-security-consistency triad works precisely because each reflects both a premise and a practice. Transparency is the philosophical underpinning of the GDPR, but also a way to interact with data subjects. Security is the broad concern for control over the safety of data, but also the methodologies and technology necessary to achieve it. Consistency is the long-term commitment to transparency and security, but it also reflects the daily discipline of remembering and abiding by the Regulation. It’s all compliance, of course, but each aspect of it is unique and important.
But consistency does not mean stasis. As we explained, the GDPR is a dynamic law, adapting to the times and technology without resort to new legislation from Brussels. Compliance cannot be static either. Companies will need to remain cognizant of their evolving data inflows, the consequences of their data strategies, and the natural mission creep that occurs when new, valuable ways to analyze customer/consumer data become available.
Ultimately, your approach to GDPR shouldn’t be different on May 25th than it was on May 24th. Dedicated resources and personnel can make a huge difference, and your own privacy pros probably deserve a great deal of praise for all they’ve done to get you to this point. Now, GDPR compliance is more than just for the privacy team, though, and requires input and commitment from the entire company. You can achieve that by remembering the three pillars: transparency, security, consistency. Make them a mantra, make them a goal, make them the centerpiece of your compliance efforts. It’s taken a long time to get to May 25, 2018, but now that we’re all here, the real work begins.