May 25, 2018. It’s a date that’s always been “coming” and recently “coming quickly.” While all future dates are like that, May 25 this year was particularly interesting because that’s when the new European data protection law, the General Data Protection Regulation (GDPR) switches into enforcement mode. Organisations have had just over two years of grace since GDPR was ratified by the 28 members of the EU (by specifically, being published into the official journal, etc.), and now its requirements are supposed to be met by all organisations to whom it applies.

I have just attended a two-day workshop on GDPR in the context of how a tech vendor can help customer organisations become compliant. There was lots of cool technology on show, but answers to the fundamental questions were elusive. For example, to which organisations does it apply (in New Zealand)? For which people does it apply, and when? How do you meet the critical requirement of differentiating personal data according to the legal basis under which it was collected … and how does this flow-through into data subject’s rights to access their data, have it deleted, and more.

Interesting questions. Challenging times. And so the real work now begins … what exactly is expected, what will be taken to court, who will be fined and under what conditions, and more.