Here’s my predictions for what will happen in a world where GDPR is ‘live’ – out in the wild so to speak. The EU’s mythical caged dragon of GDPR is set loose to wreak havoc upon mere mortal humans and their humble businesses. Can you see what I’m doing here? A movie magnate was once purported to have said ‘I want a movie that starts with an earthquake and the builds up to a climax’. I’m doing that sort of thing.
So, what will happen on May 25th? The honest answer I suspect, is not much. A damp squib, by all accounts. Darn. Not much excitement after the earthquake after all. A bit like when no one was affected at all when the clocks tipped over midnight and the world braced itself for the Y2K global disaster. That was very different though, and once it was over, it was over. Not so with GDPR, it will rumble-on for many years.
So what can we expect to see?
1. GDPR will increase opportunities for ‘malicious’ behaviour
Unfortunately, nothing this exciting will happen, but a few CxOs could find themselves more than a little annoyed. May 25th onwards will see activists take action in a number of ways. Hacking groups will be working to find ways into some companies and will only collect and leak the data when GDPR is live, solely to cause mischief and stimulate fines. The second type of activist will be coordinated Data Subject Access and Right to be Forgotten requests, in the hope that it will cost the targeted business a lot of time and money. Most likely by consumer groups and/or anti-globalisation protestors.
2. 1000’s of business will be raided at midnight by regulators
I’m determined to inject some excitement into this, but sadly there won’t be any mass raids either. Could it happen at all? Yes – the UK’s regulator swooped (if you can describe something that took a week as ‘swooped’) into Cambridge Analytica’s offices in the wake of the Facebook scandal. They even wore fetching FBI style bomber jackets. So be good.
3. Courtroom dramas will unfold on TV while millions watch
You guessed it: none of this either. Don’t get me wrong, there will be reputation-damaging incidents, and plenty of European court activity, but it’s going to be incredibility boring and move slower than a tired glacier. The courts will help tighten the definitions of GDPR, so the outcomes will at least drive company policies over time. You can expect that GDPR will evolve over many years, with more than a few significant changes.
4. 2018 will see the first eye-watering fines
Nope, not in 2018. There will undoubtedly be some big data-breaches, which I’m sure the regulators will get involved. Unless it’s the result of a heinous disregard for data security and also involves serious misuse of personal information, big ticket fines will most likely stay in their wrappers and you’ll see a more graded approach by regulators.
5. No drama here: GDPR will change the world
Or maybe GDPR is evidence that the world has changed? Whichever way around you see it, I believe GDPR has and will continue to have a global impact, with many camps now pushing for a federal privacy law in the US. Unfortunately, there will still be companies trying to get away with privacy statements full of ‘weasel words’ and as long as War and Peace, but I’m hopeful that many more businesses will embrace the spirit of the GDPR. At Commvault, we’ve already seen our customers benefit from preparing for GDPR with IT cost savings, smarter use of data and boosts to employee productivity.
Ultimately though, things will have changed on May 25th: Europeans will have regained some power from big and powerful corporations and global tech monopolies. Business will finally have a reason to understand the data it holds and to re-think what it does with that data. So the real story about what happens after GDPR goes live is down to you and I, in both how we react to it as a business, and how we use our new powers as an individual.
Nigel Tozer is solutions marketing director EMEA at Commvault, a company specializing in backup and disaster recovery