On May 24th a 2 year time clock started for firms to comply with the "just finalized and approved" directive. But views from vendors, enterprises and analysts about what it will mean are as varied as their agendas. For some additional background on the regulation, see my colleague Jon Geater's read on why to take the regulation seriously, and Sol Cates discussion of what the regulation will mean for U.S.-based multinationals.
Industry analysts - No consensus
After speaking with five industry analysts that specialized in IT Security topics over the last three days I have to say that enforcement of the new rules is very broadly contentious. Every single analyst expressed a different opinion. The views expressed varied from "we'll have to wait and see" on one end of the spectrum, to a middle ground that expected enforcement to vary by national jurisdiction (i.e. in southern Europe no fines or enforcement have happened in the past, and it won't start now) to a prediction that the EU would choose 2-3 clear violators in every country as soon as the rules go live to make an example of. With the expected result that organizations would start to fall in line there after.
There were strong expectations that for heavily regulated industries (financial services, for instance), organizations would just add the requirements to their long set of compliance requirements and get on with it. But that most organizations would investigate, and then wait to see if there were really going to be teeth behind the regulation. With potential fines up to 4% of global revenues, the regulation certainly seems to have the potential to be extremely painful to violators if enforced.
The vendors - We'll protect you from the regulation's consequences - Just buy our stuff.
Although the finalization of the regulation missed most deadlines for making it onto event signage, a very large majority of vendors used it as a lever to bring in customers, and talk about their own solutions. Invitations and emails leading up to the event touted the need to learn about the regulation (and about why organizations needed the vendor's solution to be compliant), individual booth theaters showed GDPR as a consistent topic and it was easy to wander around the floor and hear GDPR as almost a constant undertone.
The attendees - What does the advent of the GDPR really mean?
Already awash in regulation, data breaches and the driving need to implement IT security without dragging their organizations into the abyss (recall that a computer that is turned off, not connected to a network, and placed in a locked physical vault is about as secure as you can get), the IT security professionals at the show were a skeptical lot. Most had heard of the term GDPR, some were starting their investigations into what it might mean, and others well along in their planning, but all were wary of having to commit resources to meeting a new and untested regulation.
The most common consensus on what will happen? Most organizations will hold off until they see what happens to violators before investing substantial resources. Those to whom failure will mean an absolute shut down (like the financial sector as mentioned earlier), will get their plans in place and get moving.
The most common problem? All the vendors telling customers that their solution is the one and only way to save their job and organization from a regulatory armageddon. Fear, uncertainty and doubt are definitely in play.
What do organizations need the most? Clear and specific guidance about what problems raised by the GDPR are addressed by solutions and specific advice about what applies to their organization and industry sector. Of equal importance - abundantly clear information about what will, and won't, be enforced once the magic moment arrives.