Over the past year, we have spoken to a number of business and technology leaders about what they are doing, and what they are not doing, about complying with the General Data Protection Regulation (GDPR), which comes into effect on May 25, 2018. Based on these conversations, and other insight we have gleaned, here are our team’s predictions for next year, for GDPR:
The day after GDPR comes into play will be overwhelming for organizations as thousands of people in the UK and other EU countries begin to submit subject access requests (SARs). May 28 will be a major test for business leaders, especially since the vast majority of organizations may not, yet, have fully functional and tested processes to handle and communicate with Data Subjects within the 30 days outlined in the regulation.
Individuals will not be the only ones trying and testing the ability of organizations to comply with GDPR. State sponsored groups and criminal gangs will publish large amounts of personal data stolen from organizations leading up to May 25, 2018. There will be renewed interest in monitoring the dark web for illegal data breaches.
Any large-scale data breach that is made public will place pressure on the Information Commissioner's Office (ICO) to act promptly and visibly to confirm that the new regulation is being enforced and that compliance is not optional. These breaches may not only affect UK entities but will most probably involve cross border entities in the EU and in the United States.
The Data Protection Officer (DPO), required for organizations with more than 250 employees, and/or where relevant data processing is a major part of their activity, will be recognized at the end of 2018 as an influential business role. This newly found recognition will result in the DPO working across the business, reporting to the Board and directly engaging with legal, compliance, IT, procurement and other business functions. In some cases, DPOs will be elevated to the board, taking over some responsibilities previously given to Chief Information Officers and Chief Data Officers.
Late 2018, when organizations have woken up to the fact that they are behind on complying with GDPR, will witness huge demand for software and services from GDPR experts. However, a shortage in professionals with the appropriate skills, will result in the price of help going up drastically.
Organizations will start to promote their compliance to GDPR as a means to attract customers, employees and suppliers. However, a lack of GDPR certification will cause confusion within the market, resulting in false promises that will damage corporate reputations. Tread carefully.
Business leaders that have been working on complying with GDPR will view their work as a means of not only meeting regulatory obligations but as a way of enhancing business operations, including efficiencies. There will be a marked difference in the performance of publically listed organizations in 2019 that invested early in GDPR compliance.
Procurement leaders, not traditionally held personally accountable for business risks, will now be responsible for the compliance of their supply chains. This will be seen by amendments to existing supplier contracts and an emphasis on supplier on-boarding and monitoring.
HR professionals will use GDPR to gain trust with employees, demonstrating that data held on people will be securely managed and processed to support the balanced needs of individuals and employers. Furthermore, HR teams will use GDPR has justification to invest in gaining workforce visibility by implementing people analytics.
After a couple of good years of revenue, the consultancy market will segment at the end of 2018 / early 2019. Firms with a technology solution will succeed in the long-term at the expense of firms with a limited and narrow service offering.