Patrick O’Kane (firstname.lastname@example.org) is a UK Lawyer (Barrister) and Data Protection Officer for a US Fortune 100 company, and the author of the book GDPR Fix it Fast: How to apply GDPR to your company in ten steps.
The General Data Protection Regulation (GDPR) governs the use of personal data. It applies to all companies in the European Union (EU) as well as to all companies outside the EU that offer goods and services to or monitor the behavior of people in the EU. Many US companies fall under the provisions of GDPR.
The hype throughout 2018 around GDPR seemed endless. We heard about the potential fines, the new customer rights, and the seemingly frightening and all-powerful regulators. Data protection and privacy moved up on board agendas. As a legal counsel and data protection officer for a Fortune 100 company, I started to get an inkling of the magnitude of GDPR when I finally got a meeting with our CEO, who wanted to discuss it. Before GDPR, I would have struggled to get a one-on-one meeting with the company’s vending machine repair man. Suddenly, in light of GDPR, I was in demand, along with many other privacy professionals. And GDPR-anxious executives started to do what they often do when they are worried about a problem—they threw money at it.
The lawyers, the consultants, the GDPR “experts” proliferated. Then the hype seemed to disappear. We retreated to our jobs, our compliance departments, and our lives. Regulatory enforcement seemed lax, and people started to wonder if the regulation was overhyped.
Then came the regulator fines. They started as a whisper. Smaller corporations received fines in the tens of thousands, and they received little press in the compliance world. Then, as 2019 dawned, the big GDPR fines started to drop.