We are entering the second year of the European General Data Protection Regulation (GDPR) which entered into force on May 25, 2018.

GDPR shone a spotlight on data protection like nothing else before it. It has pushed data privacy and responsibility to front of mind for political decision makers and companies. It is stimulating privacy-by-design across industries. Many companies re-prioritized privacy, updating compliance systems, deploying privacy safeguards across processes, services and products. And in society, privacy — and GDPR — have become part of common parlance.

Companies that are serious about data responsibility are raising the bar by going beyond compliance. For IBM this means implementing our principles for Trust & Transparency across our business and across all markets, and playing a key role in initiatives such as the development of the EU’s AI Ethics guidelines and the Charter of Trust. IBM has also been a driving force in the EU Cloud Code of Conduct, an independently-governed industry code that contains rigorous assurances for the protection of data in cloud services. Such codes are fostered by GDPR as being a contributor to a higher level of data privacy, transparency and accountability. The latest version of EU Cloud Code of Conduct is currently pending official approval by supervisory authorities.

In the past year individuals and businesses have felt the harmonization benefits that GDPR brought about. As individuals we can now rely on the same rights and high standards throughout the European Union, no matter where we are and no matter where our data is processed. As companies, harmonization means a single privacy framework to comply with across 28 EU Member States and other counties, such as Norway, Iceland and Liechtenstein.

And there is even more potential for harmonization. As GDPR matures, we expect that areas such as the “opening clauses” that allow Member States to treat important issues (e.g. processing of sensitive data or employee data) will be aligned, avoiding the need for companies to adapt for different requirements across different countries. We also expect that guidance from national Data Protection Authorities, the European Data Protection Board as well as eventual decisions from the European Court of Justice will be clear and consistent on, for example, rules around data access, consent, or data transfer outside of the EU.

An increasing number of governments across the world are also tackling data protection policy. Other regions do not necessarily need to copy/paste the GDPR approach – different regions need tailored privacy policies, reflecting the diverse historical, legal and cultural approaches to privacy. However, what is crucial is that different regimes are interoperable, ensure the ability to transfer data to each other, and focus on protecting consumer privacy while avoiding unintended consequences that could harm the broader, more responsible digital economy. Cross border data flows generate opportunity, innovation and value for economies and societies alike – if they are not hindered by unnecessary data localization obligations.

In the year since GDPR, the opportunity of data has continued to increase, and it will grow even larger and more fascinating. IBM looks forward to GDPR living up to its potential as an enabler of trust, and we will continue advising other governments around the world as they explore their own approaches to strengthening consumer data privacy protections.

– Dr. Nils Hullen, IBM Government and Regulatory Affairs Executive

Share this post: