We can end up like the Chinese. Governments are excempt from the GDPR when national interests are compromised. A surveillance state in the EU is still a possibility. We must be vigilant.....
The EU-General Data Protection Regulation will help us standardise how businesses and organisations are allowed to work with our personal data. Knowing what data these organisations have on us, what they are doing with it, who they are selling to, for how long they are intending to keep it and for what purpose. The right to be forgotten.
We are in favour of the EU-GDPR. It gives us EU-citizens the tool to defend ourselves against mis-use of our property. Our Personal Data. Organisations less of course. Lots of criticisum about 'what a bureaucratic monster'. Lots of misconceptions also. Bakeries that are not allowed to gather data on their customers. Hogwash. Project Fear. The GDPR is clearly directed towards the "Facebooks" of the EU. The data-vacuum machines who are becoming so powerful and influential with OUR data. Organisations with less than 250 employees are excempt from GDPR compliancy unless their business model is clearly handling large amounts of in personal data. No government agency will raid our bakeries or football clubs.
This doesn't mean that your clients, customers and employee;s are not allowed to ask you what data you have on them. The 250 employee rule only implies that you don't have to create all the documents upfront that show your organisation is GDPR-compliant. The requested information needs to be supplied and authorities can be notified. Even when it means spending a lot of time gathering the data because you are not setup properly. Be prepared.....
The organisations, that do have to prove that they are GDPR-compliant, will need to spend lots of time and effort. Becoming GDPR compliant is a time-consuming process that involves Data Protection Officers (DPO), lawyers, consultants and the interaction with colleagues. Not only EU organisations are impacted. GDPR is worldwide. When doing business with one of the 492,1 million EU-citizens (2018) your business is impacted by the GDPR. You need to be compliant.
The GDPR is still young. Organisations are finding their way. We look at it as a process of constant learning. Like in the time when taxes and double-bookkeeping were introduced. Image the impact on business and organisations. Forced to financially opening up their organisations. This now is common practice and an industry has formed helping organisations. Tools were created to support the professionals and increasingly opening it up to colleagues in the organisation.
We envision something simular on the personal data front. It is, and will be, specialistic work to implement the EU-GDPR properly in organisations. Simular to the introduction of double bookkeeping the GDPR will , in the long run, become embedded in the DNA of all organisations that work with the personal data of EU-citizens. It is their RIGHT. We think the impact will be even deeper in the organisation because more colleagues will be impacted and need to be trained.
Currently we see a very inefficient process with only limited involvement from colleagues. Most of the time gathering information by consultants in spreadsheets and one-off presentations. Writing a report and be done with it. Repeating the process every half year without improving the organisation. This definitely needs changing when bringing GDPR to main stream.