The 25 May 2018 marks a watershed for data protection. The subsequent application of GDPR, will decide which shape data protection will take. We believe the main driving force behind data protection will be the demands operators in the private sector make on each other to reduce the risk of economic liability and loss of reputation.

The GDPR has already put data protection on the agenda and already made an impact. With fines amounting to up to four percent of annual global turnover, or 20 million Euros, data protection has made it to management meetings and boardrooms. It has become a trend to offer privacy-friendly services to achieve a competitive advantage.

GDPR is part of a movement within legal politics towards stronger data protection. In 2014, the European Court of Justice introduced a “right to be forgotten” through the Google case. In 2015, the Safe Harbor agreement between the EU and the United States on data transfer was repealed. In 2016, mass storage of data was ruled illegal. Last January, the European Commission suggested an ePrivacy regulation that would limit the use of cookies. We see the same trend in Norway. April last year, the Supreme Court ruled in a file sharing case where data protection prevailed copyright.

GDPR will apply to virtually all public and private enterprises. All those who have consumers, employees, or possess other personal data, have until 25 May 2018 to prepare for, among other things, these new rules:

Data portability

Individuals are given the right to demand their personal data transferred from one service provider to another, when for instance changing banks or fitness apps. Few businesses today have data portability systems in place. The rule has the potential to change the competitive situation in many industries.

Privacy by design/default

Requirements are introduced for “privacy by design”, that data protection is embedded into technology, and “privacy by default”, that default settings should be data protection-friendly. This will challenge both on those who develop and those who purchase technology.

New rules on consent

The current practice of “all-or-nothing” consent will be banned. Users will be able to say opt-in for certain purposes and opt-out to others, Consents and privacy text must be prepared in plain language. Most businesses must update their consent texts and privacy policies.

Data protection officer

Public and many private entities will need to establish a data protection officer. Today, this is a voluntary and not very common.

There has been a tendency to overdramatise the regulations we have in store. As with Y2K at the turn of the millennium, we will probably wake up to a rather familiar situation on 25 May 2018. Even if GDPR entails important changes, the main features of current law will remain. However, the changes cannot be ignored. There is cause for concern when a recent survey shows that one in three Norwegian CEOs are not familiar with GDPR, and that only one in ten Norwegian businesses has started to prepare for it.

In parallel with the GDPR and new EU initiatives on data protection and privacy, some argue that it has gone too far. The Progress Party of Norway supports extended storage of IP addresses, which has similarities with the Data Retention Directive that the European Court of Justice overruled. Digital border control for Norway has recently been suggested. More cybercrime and terror threats will probably lead to demands for measures that may be at the expense of data protection. The application of GDPR, and the interplay with the private sector, government, and individuals in the years to come, will eventually decide the shape in data protection will take.