Two years of programme work, six weeks of final-stretch operations, and at midnight last night the General Data Protection Regulation came into enforcement. The customer portfolio is in attestable position. The actual operational regime — the part where the regulation produces real consequences in real cases — begins now.
The portfolio status. Browne Jacobson, Towry, Northcott, the new financial-services client, and the manufacturer are all attestable. The retailer is attestable with two minor open items that are on remediation plans the customer-organisation board has approved and the timing for which is appropriate to the items themselves. Six of six in adequate position. That is the result I wanted from January, and the team and the customers have got there.
The day itself has been quieter operationally than I expected. The customer briefings this morning were low-key — the customers' programmes are in shape and there is little for me to say beyond "carry on". The Information Commissioner's Office portal is operational and the breach-notification mechanics are confirmed working in the test cases we have run with the ICO's portal team. The supervisory authorities across the EU have been visibly preparing for the day; there is no immediate enforcement wave but the implication of the upgraded regulatory architecture is that enforcement actions, when they come, will be more substantial than the pre-GDPR regime produced.
The substantive operational regime that begins today has, on the customer-portfolio side, three principal effects.
First, the breach-notification environment is materially different. The 72-hour clock is now operational. Any incident that produces a personal-data exposure for which the controller assesses risk to data-subject rights and freedoms triggers a notification timeline that the customer organisation cannot extend at its own discretion. The breach-response posture we have spent the past six months exercising is the day-to-day operational reality from this morning. The first real test — the first incident at any customer that requires actual ICO notification — will be informative; on the historical incident rate across the portfolio, that test is months away rather than days, but it will come.
Second, the data-subject-rights operational load is now active. Subject-access requests, right-to-erasure requests, data-portability requests, and the various derivative rights actions are all in scope from today. The rights-fulfilment workflows we have built will be exercised. The volume question that I noted in the April post is going to be answered over the next several months, and the resourcing decisions for the rights-fulfilment functions will follow from the actual volume. My guess is 2-4× the pre-GDPR baseline volume across the customer portfolio in the first six months, with stabilisation at a higher-than-historical baseline thereafter.
Third, the supervisory-authority interaction posture is now formalised. The Data Protection Officer functions are operational where they were not formally established before. The Article 30 records of processing activities are maintained. The processor relationships are documented. The supervisory authority's right to audit the customer-organisation's compliance posture is, as a practical matter, now exercisable — and several customers have asked whether they should expect ICO audit activity in the early months. My answer: not in the very near term, the ICO has been clear that they will be using a graduated enforcement approach, but the customer organisations should treat their attestable position as something that needs to remain attestable as the operational regime evolves.
For the wider commentary on the day. The press coverage has been substantial and not entirely accurate; several of the more breathless pieces have over-claimed both the immediate enforcement risk and the practical mechanism of the regulation. The 4%-of-global-revenue fines do exist in the regulation but are reserved for the most serious infringements and are not the day-one starting point of the supervisory authorities' enforcement posture. The 72-hour notification clock applies to incidents that the controller assesses as producing risk; not every incident triggers the clock, and the controller's risk assessment is part of the regulatory framework. The customer briefings this morning have included a useful conversation about not over-reacting to the press characterisation; the operational regime is demanding but it is not the apocalyptic landscape some of the press coverage has suggested.
The thing that the day's commentary is, in my view, not adequately addressing is the trans-jurisdictional consequence of GDPR. The regulation applies to controllers and processors handling EU residents' data regardless of where the controller is established, and the practical effect is that the world's data-handling practice is being, at least at the platform-and-service level, harmonised toward the EU's regulatory standard. The US-side platforms (Facebook, Google, the major SaaS vendors) have implemented GDPR-compliant infrastructure and are in many cases extending the GDPR-compliant practices to non-EU users on the operational grounds that running multiple regimes is more expensive than running one. The South Korean, Brazilian, Australian, and Japanese privacy-regulation conversations are all being shaped by GDPR as the de facto international standard. The structural consequence — that EU regulatory output now sets a default for consumer-data practice globally — is a substantial shift in the international economic and regulatory landscape and is not, in 2018, fully appreciated by the audiences whose attention is on the immediate day-one operational concerns.
The personal note. The two-year programme has produced the result I wanted. The customer organisations are in better operational shape on data protection than they were when we started. The vCISO portfolio's GDPR work has been the most strategic piece of the practice's work for two years and is now transitioning into operational support. The nature of the work changes from this morning — less programme management, more incident response and rights-fulfilment support, more advice on specific interpretive questions as they emerge from supervisory-authority practice and case law. I will be writing about that as the new patterns emerge.
The pubs are open. I will be at one this evening. Ideally for not long.