GDPR

So I’m not usually a guy who enjoys legalese and toying with paragraphs but I must admit that GDPR interests me. Both as a consumer and as a professional. As a consumer I find it nice and a great initiative to protect my rights and privacy as a consumer. I find the privacy regulations and the added responsibility put on service providers to be a welcome change. With the economic penalties outlined in the legislation the GDPR has to be respected. And I think they will – maybe once the initial battles has been fought.

As a professional I have a different approach and a different take on it. While also interesting the burden put on companies are very big and the challenges that has to be solved can seem somewhat insurmountable. Thinking about data in CRM, ERP, file shares, web site logs, e-commerce, data from POS terminals to name but a few makes this potentially a very big thing. What does it mean to allow transparency and data portability? What does it mean to be forgotten? With an IP address being considered PII (private identifiable information) it makes even core systems like web site logs and tracking systems subject to change. How do I even figure out where these pieces of information are stored. It’s indeed a great challenge. At least for B2C companies – it will most likely be much less burdensome for B2B.

To make matters worse the GDPR legislation was adopted by the EU on 27 April 2016 and it becomes enforceable from 25 May 2018 after a two-year transition period. But yet we are only really starting to take it serious now. How can that be? I’m starting to see this as a next year 2000 problem but whereas Y2K was takes serious a long way out this seems to have been mostly ignored. At least from where I sit. It will be very interesting to follow.

The project I’m on now is actually about transitioning a series of black-box consumer signup systems into a transparent Salesforce Service Cloud installation for a customer while ensuring double opt-in and keeping records of consent. We are on a pretty tight schedule to be ready for 25 May but it’s looking okay but the scope is also pretty well defined. But if this had been for the entirety of the customer data it would have been much worse. Now the project is much bigger than this but it’s interesting how it took the GDPR to get them going – maybe it was a good thing as it probably helped their business case internally.