You have probably already heard a lot about GDPR, right? Here are some points in summary:

1. The EU General Data Protection Regulation goes live on 25th May 2018. The timeline is already known for two years which has given enough time to make preparations.

2. Objective is to give more responsibility to companies on how to handle personal data and communicate about it. Personal data is every type of data (also in combination) that could allow to identify a person within the EU. It affects the customer data as well as the information of employees.

3. A person has to give explicit consent to a company to use their data. This includes that the person has been informed clearly about the usage and purposes.

4. A breach needs to be reported within 72h. This will kick-off investigations and in the worst case also a fee for the company. The amount depends on several factors like gravity and can be up to 20 Million Euro or 4% of annual global turnover (whichever is greater).

5. Privacy by Design, existent for years already, means to include the aspect of data protection from the beginning when new tools, systems or processes are designed.

There are much more aspects to look at, but why do I take those out in specific? Because I think they include details which got overseen or ignored and will hit us back sooner or later.

1. Yes we had enough time to prepare. It's a huge topic and requires time to take care of. But please - it would really have been nice to see more advertising for it. Not every EU person follows every new law. Large companies jumped quickly on it and had the chance to prepare accordingly. The ones we wanted to catch are save. The challenge is now in the SMB (small and medium business) area. The last year the advertising became a little bit louder, for the last approx 3-4 months it was even loud on local level. Everybody panics, but they lost time. Additionally SMBs might not have the money, knowledge or infrastructure to easily adapt to the new rules. A sad result that could have been avoided by better communication and support.

2. "Personal data" affects all of us. Marketing, Sales, Operations... nearly every part of the company is somehow using data. It is unavoidable to extend the original discovery phase across the whole company and all systems. Otherwise something will slip. Like the fact that also employee data is affected. I have my doubts that this aspect is always taken in consideration. It's a special challenge for HR and needs more attention.

3. As we come closer to the key date, you might have received emails from companies or seen on websites that the terms and conditions changed. You should read it and click the button at the end. My favorite example from a social network is "If you want to continue our services, you agree". The gap between theory and reality becomes obvious. Neither does the customer read the terms and conditions nor does he has an option. If I want to further live in the social network, talk to friends and not put my digital live on hold, I have no option. Simply because the services would not work without using data. Imagine Goggle would not use their data - how many service would still bring added value?

4. Fees! One of my favorite topic. It's the reason why everybody panics and takes this topic so serious. Not because they understand the responsibility when handling data. Money is the driver to change. If money would not be... well we will see. Austria is the first example I heard of finding ways to avoid the fees. Not a company, but a state made the first step in taking the heat out of the regulation. Here you can find an article about the details (sorry, German only). Core message is that some industries, like government (including police and military), NGOs and media got special exceptions.

5. Every larger company should smile when they hear the term "Privacy by Design". It should be the foundation to everything we do in business. That we have to write it down precisely in a regulation shows me, that this is not the case. When I started my first job and I had the pleasure to work with Microsoft, Privacy by Design was one of the first things I had to learn. From that moment on it was part of everything I touched. I highly appreciated this.

In summary: I think GDPR is exactly what we needed and a step in the right direction. Digital is moving so fast and it is difficult to understand where this will lead us in regards to data and privacy. We have to seriously catch up on this topic without stopping innovation. GDPR is the first step of having an ethic around it. Nevertheless, it's not perfect and probably some unexpected consequences will come up due to mistakes made in the process. I am curious to see how it will develop.

Some resources that might be interesting for you around GDPR:

• EU GDPR Information Portal

• Wikipedia - GDPR

• Regulation itself

• Employee Data Privacy in the GDPR era

• What to do to get compliant?

• Wikipedia - Privacy by Design

• Ted - Future of Your Personal Data