May 25th
GDPR DAY!
It’s here, today is the day. After a ticking clock, the day has arrived. May 25th – the GDPR has gone from discussion and preparation to reality.
Or has it?
With today being a Friday, and Monday being a bank holiday across most of Europe, the real impact won’t set in until Tuesday. Between now and then, let’s take a look at what’s been going on like wildfire over the past week and a half.
In an online group I belong to, having nothing to do with our worlds of Personal Data, Identity, Privacy, or related issues, a friend posted the following two days ago:
Who are all of you and why are you telling me that you are updating your privacy policy? And asking me to say yes or no to all these emails I forgot I was getting?
This comes from a highly respected financial world consultant, author and wealth management adviser, host of a prestigious annual invitation-only limited seating investors strategy seminar. Someone who is up on current affairs and anything and everything that affects markets, money, currencies and all manners of trading.
I posted a reply:
Companies and business entities rattled to the bones in fear of the GDPR, going into effect May 25th, getting their compliance paperwork and notifications in order. Or so they hope, in order not to be subject to EU fines.
This prompted my friend to call me for further discussion.
First thing out of his mouth: “I’ve heard of the GDPR. I’ve read numerous reports on it. I understood it to be about protecting data, holding data in safe storage. An opportunity for Oracle, Microsoft’s Azure, IBM, NetApp which is being acquired by Dell, EMC, HP. Data must be encrypted, and privacy is important. No laxity. Breaches, of any scale, not epic the likes of Equifax, incur cumbersome penalties.”
He had no inkling about the personal data side of the GDPR, of permissions and consent. To him it was all a data play, storage, encryption, protection. No awareness of issues concerning data transit, sharing, interaction with individuals.
His perception: how publicly traded companies (and Dell) might or might not benefit from the GDPR. His level of awareness as it pertained to his world: potential impact on publicly traded big data houses.
And thus when the slew of emails about Privacy Policies, opt-in or out of emails and lists, etc., arrived, he had no clue that these were GDPR related.
It also tells us that he wasn’t reading the emails too closely. A good many of those emails made mention of GDPR compliance. But it also informs us that the emails were seen as an annoyance by some. That includes this high level, highly educated, highly aware consultant whose job it is to osmose all matters of consequence for investment and finance.
I schooled him on the Personal Data side of the GDPR, and the basics. In addition to breach notification, I reviewed Consent, Right to Access, Data Portability (this was eye opening to him), the Right to be Forgotten (this required some explanation, it was a foreign concept to him), DPOs, and the Penalties.
Financial world maven that he is, in a follow up email after our call I pointed him to the Wall Street Journal’s video explaining the GDPR.
This leads us to a question: how many others are there who are almost completely in the dark about the GDPR? Others who we would think would be aware of, up to snuff, educated on the GDPR? Or who see it through a narrow lens, only as they perceive it to relate to a specific aspect of their business, or in other cases, of their life?
We’ll soon find out.