Will GDPR work?
As GDPR has only been in force since 25th May 2018, we cannot draw a definitive conclusion on whether GDPR has worked successfully. But, we can analyse GDPR and the co-operation of organisations with implementing GDPR so far, to predict how well GDPR will work.
Why GDPR should work:
The implementation of GDPR is an attempt to control our data-driven society, in attempt to prevent it spiralling out of control. Therefore, there is a lot of support behind the GDPR to try and ensure it works successfully. A data privacy expert, John Taysom, has said that data protection is of 'utmost importance if we want our society to be fair and secure'
Influential organisations such as Apple and Microsoft, have publicly demonstrated their support for data protection, and therefore have lead the way to convincing other organisations to become GDPR compliant. GDPR should now appeal to more organisations, because it is becoming a form of competitive advantage. If one company is GDPR compliant, then they will have a competitive edge over other organisations if they aren't compliant. The Chief Executive of Microsoft, Satya Nadella, has referred to GDPR as 'robust', and therefore Microsoft have been able to demonstrate their compliance.
Data Protection Officers (DPOs) have the responsibility of helping to maintain GDPR compliance in an organisation, through ensuring data processors and data controllers are fulfilling their duties. A DPO needs to be appointed if:
-Your organisation processes vast amounts of personal data regularly
-Your organisation is a public body
-Your organisation processes special category data, such as health data
Some have claimed that SMEs are exempt from appointing a DPO, but this is not the case. Germany state that if a company has ten or more employees, and they process data regularly, then the organisation must appoint a DPO. A DPO will ultimately make GDPR compliance easier, so it is wise to appoint a DPO purely to make an organisation run more smoothly.
As many as 75,000 DPOs will be needed across the world, therefore recruitment for DPOs has become paramount. Industries such as the health care sector and technology firms will view the appointment of a DPO as particularly beneficial because they'll need help processing the vast amounts of special category data which they hold. The use of DPOs will ultimately help GDPR work successfully.
Why it might not work:
There have been suggestions that GDPR will not work, because there has been a lack of commitment from lots of organisations to establishing their GDPR strategy in advance. The European Union officially adopted the GDPR in 2016, therefore companies have had two years to create their GDPR strategies, before the enforcement of GDPR on 25th May 2018. However, by May 2018, The Verge, a news and media network, published an article which suggested that by that point, neither the regulators or companies were ready for data protection regulation.
The Ponemon Institute, which conducts research on data protection, found that in April 2018, from 1,000 organisations which they surveyed, 50% said that they were not confident that they would be ready for GDPR compliance by May 2018. Furthermore, 60% of the tech companies which were surveyed by the Ponemon Institute, said that they were not going to be ready for GDPR compliance by May 2018.
The New York Times published an article by Alison Cool, a professor at the University of Colorado, which highlighted that the organisations which are attempting to comply with GDPR view it as an overwhelming set of regulations, which inherently make the job of companies harder. This would perhaps explain the reluctance to establish a fully-fledged GDPR strategy during these past two years by many organisations.
It doesn't seem that promising either that GDPR regulators appeared unprepared for GDPR enforcement in May 2018. There are 24 European regulators, responsible for enforcing the GDPR. In a survey conducted by Reuters, a UK news agency, it was found that 17 of the 24 regulators weren't ready for the 25th May either, as they didn't have the correct funds to enforce GDPR yet. This is because funds for the data protection authorities, so in other words the regulators, come out of national funds, it is not economically supported by the EU. Therefore, there's going to be a fluctuation across EU member states with regard to which regulators are ready to enforce GDPR properly, and which aren't.
However, the fact that a breach of the GDPR has already occurred and is under current investigation by the Information Commissioner's Office (ICO) suggests that perhaps regulation of the GDPR has already taken hold and will be successful. The first breach of the GDPR has occurred with TicketMaster, after they found that a malware software had infiltrated their system. Consequently, the compromise of customer data occurred, and the ICO are currently investigating.
Therefore, we cannot be sure whether GDPR will work completely, but the initial implementation and regulation which has taken place so far, suggests that it will. It is certainly wise to become GDPR compliant, in order to avoid any potential fines.