The General Data Protection Regulation (GDPR) has actually been with us for quite a long time (in various forms), but this month is the moment of truth. On May 25, the GDPR will start being enforced.
Here’s a quick timeline of the evolution of the GDPR:
October 1995: Data Protection Directive (95/46/EC) is adopted. The majority of the rules of the GDPR are the same or similar to those of the Data Protection Directive. Thus, much of the GDPR has been with us for more than 20 years.
January 2012: First Draft of GDPR is released.
March 2014: European Parliament votes to support the GDPR.
December 2015: The Trilogue (EU Commission, European Parliament, and EU Council of Ministers) reaches an agreement about the GDPR.
April 2016: European Parliament and Council of the EU formally adopt the GDPR. There will be a 2-year grace period until the GDPR is enforced.
I have a confession to make, one that is difficult to fess up to on the US side of the pond: I love the GDPR.
There, I said it. . .
In the United States, a common refrain about GDPR is that it is unreasonable, unworkable, an insane piece of legislation that doesn’t understand how the Internet works, and a dinosaur romping around in the Digital Age.
But the GDPR isn’t designed to be followed as precisely as one would build a rocket ship. It’s an aspirational law. Although perfect compliance isn’t likely, the practical goal of the GDPR is for organizations to try hard, to get as much of the way there as possible.
The GDPR is the most profound privacy law of our generation. Of course, it’s not perfect, but it has more packed into it than any other privacy law I’ve seen. The GDPR is quite majestic in its scope and ambition. Rather than shy away from tough issues, rather than tiptoe cautiously, the GDPR tackles nearly everything.
Here are 10 reasons why I love the GDPR:
(1) Omnibus and Comprehensive
Unlike the law in the US, which is sectoral (each law focuses on specific economic sectors), the GDPR is omnibus – it sets a baseline of privacy protections for all personal data.
This baseline is important. In the US, protection depends upon not just the type of data but the entities that hold it. For example, HIPAA doesn’t protect all health data, only health data created or maintained by specific types of entities. Health data people share with a health app, for example, might not be protected at all by HIPAA. This is quite confusing to individuals. In the EU, the baseline protections ensure that nothing falls through the cracks.
This cartoon makes fun of the fact that these days, there seem to be so many GDPR experts. There are, indeed, many experts who know a lot about GDPR. The problem is that there are a lot more “experts” out there who know only a little about GDPR.
Organizations are racing to get ready for the GDPR implementation date of May 25, 2018. Complete GDPR compliance in a few months is likely not feasible for many organizations, but this shouldn’t mean that these organizations should give up. Making a good-faith effort and continuing to strive to improve are quite worthwhile.
Recently, I created two new GDPR training resources.
I created a 1-page visual summary of the GDPR, which I call the GDPR Whiteboard. The idea was to capture the key points of the General Data Protection Regulation (GDPR) in a succinct and visually-engaging way. It has become quite popular, receiving thousands of downloads. You can download a PDF handout version here. We’ve been licensing it to many organizations for training and awareness purposes.
GDPR Interactive Whiteboard
I subsequently created a new training module — an interactive version of the GDPR Whiteboard – the GDPR Interactive Whiteboard. When people click on each topic, the program provides brief narrated background information, presented in a very understandable and memorable way. Trainees can learn at their own pace. This program is designed to be very short — it is about 5 minutes long.
It can readily be used on internal websites to raise awareness and teach basic information about GDPR. It can also be used in learning management systems.