Job well done, it's time to celebrate!
You've updated your cookie polices, your privacy notices, contracts & agreements. Brand new process documents are in place. It was quite the fire drill, but you're ready for GDPR. Time for some well deserved rest.
Then you get the call
A complaint was filed by someone who visited your website anonymously claiming they asked for all their data to be deleted under GDPR's Right to be Forgotten requirement and your company never provided a confirmation receipt. Now Ireland's ICO (information commissioner's office) has launched an investigation. "How is that possible, we don't even have an office in Ireland, and the user was anonymous for goodness sake!", your CEO remarks. After the investigation, it turns out that, even though you have documented processes and trained your employees, nearly 25% of the 200 or so monthly right to be forgotten, data portability, data access, and profiling opt-out requests were dropped. To make matters worse, a low level marketing manager provided thousand of customer records containing sensitive data to an marketing analytics startup that was promptly hacked. You didn't know about it, so you're also in violation of GDPR's 72 hour breach notification requirement.
The good news, the regulator tells you, is that you weren't deliberately avoiding compliance with GDPR. She probably uses the word "mitigating". Because of the "mitigating factors" they decide the penalty will be only 2% of your annual revenue or 325 Million Euros (instead of the maximum 4%)
But the damage is done. That low level marketing manager is gone, but because of the negative press, your EMEA revenue drops a startling 18%, you miss earnings, and your stock drops 35% over the ensuing months. Now Carl Icahn and Greenlight Capital have put up their own slate of board members and they've indicated they intend to take your company private. 1000s of people lose their jobs.
How is this possible?
This story is fictional, but it's a very real scenario that companies will face in the ensuing months and years. The reality is that GDPR is more than privacy notices and breach notification requirements, it's about protecting personal rights - and meeting those requirements requires highly effective processes. To be sure, updating your notices is required, but to protect your data, protect your customers, and protect your job, you need to make sure your operations can handle the processes GDPR requires.