GDPR Is Complicated Enough—Let’s Not Obscure It With A ‘Compelling Event Gold Rush’

Neil Patrick

As many of you will know, the revision to the European Union (EU) data protection law is the General Data Protection Regulation (GDPR), or Regulation (EU) 2016/679, if you want the version. It becomes enforceable on 25th May 2018, it was already adopted by EU member states in April of this year, and it doesn’t require their individual approval.

It threatens significant fines for mishandling the storage or processing of a “natural person’s” personal data: the maximum of 4% of worldwide turnover of the previous financial year or €20 million, or the maximum of 2% of worldwide turnover of the previous financial year or €10 million, depending on level of compliance. The definition of personal data is significantly enhanced from the previous definition, including content that enables someone or software to link that information to a person. For example, it can apparently include my IP address.

Why it’s complicated

What isn’t always obvious is that GDPR applies to any organisation that stores or processes personal information of an EU resident, not national. Its authority is triggered by a person’s activity taking place within the Union, not which nationality/citizenship they hold while they do that.

Furthermore, it is not dependent on which country the storing or processing of personal data takes place. So I could be a South African buying something online from my hotel room in France from a company in the USA, and technically, that USA company will need to comply with GDPR.

It will be interesting to see what GDPR means in the context of Brexit and the deregulation stance of the new US president-elect. Before these changes, both countries indicated they would keep in step with the sentiments, and potential sanctions, of GDPR.

How far does it go?

The regulation’s reach extends to:

  • ‘Levels’ of importance of personal data
  • Right to erasure
  • Data retention consents
  • Breach notifications within 72 hours for a significant event
  • Protection by design by default
  • Data portability
  • Profiling restrictions

Companies above a certain size are required to appoint a data protection officer, whose duties include demonstrating GDPR compliance to the supervising authority and submitting to periodic audits. Their authority is from the supervising authority, they’re independent of the board, and cover compliance, business processes, and cyber resilience.

Thirty-nine out of the ninety-nine GDPR Articles require evidence of compliance or process—the potential burden of evidence and due diligence appear daunting. And some terms in the regulation still require additional explanation.

GDPR: one of the most intrusive and corrective regulations ever

This is probably why companies have been given the 2+ years to embrace the necessary changes to comply by March 2018. And also why it’s likely to become a compelling event gold rush during 2017.

What won’t help companies

Compelling event gold rushes are characterised by a proliferation of startups, smart new niche solutions, and adaptions of existing solutions (which may sound like they cover more than they actually do). Throw in related buzzwords like IoT, IoE, and Industry 4.0, and you have a complex and challenging territory populated with a lot of clamour about GDPR compliance offerings. It can be hard to sift out what is most relevant.

Businesses are already heavily regulated and are being asked to do more with less, striving to drive down the cost and complexity of IT infrastructure. What they don’t need is incremental point solutions to stickytape over GDPR pain points or gaps as they become evident.

What will help companies?

What they do need are a comprehensive requirements description, a pragmatic adoption road map, and a cost-effective holistic platform that delivers the road map.

GDPR has many aspects to it and genuinely does require (a) a broad range of solution capabilities to cover all aspects, and (b) their necessary interconnectedness. Working for SAP as I do, I am happy to see we have the unique breadth to offer this.

Get the latest information on GDPR compliance. Attend the live stream session “Get Ready for EU GDPR Compliance,” one of many events taking place at the SAP Innovation Forum, hosted by SAP UKI, on March 1, 2017. Neil Patrick, EMEA Center of Excellence Business Development and Evangelist at SAP, will provide insight on what businesses should consider when complying with GDPR requirements.


Neil Patrick

About Neil Patrick

Dr. Neil Patrick is a Director of SAP Centre of Excellence for GRC & Security covering EMEA. He has over 12 years’ experience in Governance, Risk Management and Compliance (GRC) & Security fields. During this time he has been a managing consultant, run professional services delivery teams in the UK and USA, conducted customer business requirements sessions around the world, and sales and business development initiatives. Neil has presented core GRC and Security thought leadership sessions in strategic customer-facing engagements, conferences and briefing sessions.