I’m writing this sitting in Germany, having spent one week meeting with customers from the UK, Switzerland, and other places and about to spend another at the Kuppinger Cole EIC Conference. The conference agenda is loaded up with EU GDPR topics, and there will be more to say about that in another post. It was very interesting last week to hear from customers, prospects, and partners where their GDPR efforts are right now. With the May 25th date looming, it would be easy to expect that many would be a panic mode. They are not. It would also be easy to assume they have a full plan. Many do not. We won’t be naming any names here, but I will share the thoughts of these folks I spoke with. That will hopefully give you something by which to gauge your own efforts.
The thing everyone had in common is that none of them felt completely ready, and none of them felt this was a huge issue. To be sure, some were further along than others. Since our role tends to focus on unstructured data and many organizations don’t have a good approach to any aspects of managing and securing this data, there was an interesting break where some were coming to as part of the final phases of their preparations and others as part of the first. Some felt they would perfect the places where they had some capabilities already and then move to the places where they had gaps to fill. Others felt the opposite – they went after blank spaces first and hoped where they had some solutions they would be able to meet their burdens without being perfect. All of this comes out of faith that everyone seems to share that the first year of EU GDPR enforcement will be focused on going after a few large, well known organizations as proving grounds for both the details of the regulations and the strength of the enforcement capabilities of the governing bodies. That meant many didn’t wish to harden their GDPR program too much and find they needed to unpack and redo it later based on the realities of enforcement and precedent. That seems to be a vote for those who are going after blank space first and leaving imperfect but covered areas until later.
Another shared trait in everyone we spoke with is confusion. This is not a surprise. Without these first passes through the courts and arguments to truly define what many of the provisions will mean in effect versus what they may mean in theory, it’s very hard to understand what exactly each organization must do. One multi-national services firm’s CISO and I spoke and they stated this very clearly: “I don’t know what GDPR means yet, neither do you, and neither does anyone else.” That one made me laugh – because it states the truth of the matter so clearly. The conversation went on and we agreed that some things are obvious. People who can’t find their sensitive information are in trouble. People without mechanisms to define who can see that information are in trouble. People who can’t answer a DSAR (Data Subject Access Request) with some level of confidence are also in trouble. Beyond that, though, it would be a lie to say we know for sure what else is coming. Things like “privacy by design” are the subject of much debate, but anyone who claims they know the ultimate form this will take is trying to sell you something.
The last things all the organizations I spoke with had in common was a belief that this debate about the meaning of the provisions of GDPR – their details, their implications, the impact of their implementation – is in fact the point of GDPR for the moment. No one I spoke to felt like the effort they are going through right now, regardless of the state of that effort, was wasted time. Several made comments like these were things they ought to have done years ago and that they wanted to do all this anyway and EU GDPR gave them the impetus and budget to make it happen. If the regulation were to be erased tomorrow, people would not regret what they had put in place so far. So if you’re feeling like not being fully prepared yet puts you behind the curve – it does not. It seems that when May 25th hits what we will get is not a phase change as much as a small shift. Like so many other regulatory efforts, people seem to feel it’s there to help push them in directions they should have gone anyway. No one is arguing privacy is a bad idea. Everyone is just waiting to see exactly how that big idea will play out in the small details of IT, cyber security, and the day to day lives of us all.