Ahead of the one year GDPR anniversary, we spoke with Kon Leong, co-founder and CEO of ZL Technologies, which is an information management provider with clients spanning the Fortune 500, including half of the top 10 financial services companies.
Kon works on-the-ground to future-proof companies against penalties and violations. In this interview, he shares his thoughts on this past year and where he believes the opportunities lie for stakeholders moving forward in being GDPR compliant.
What have we learned in the first year of GDPR?
The first year of GDPR can best be described as a year of growing pains with more pain than growth.
This is still the case. However, despite the technology disconnect, there have been few significant fines as of yet. Regulators have come face to face with the complexity of implementing data privacy in large enterprises, and the reality that we are still years away from being there. And not only do companies have insufficient technology to meet GDPR, regulators also do not yet understand the digital ecosystem enough to properly address fines.
What has been the largest impact of GDPR?
As a result of GDPR and the other regulations that have followed, the convergence of several spaces has been drastically accelerated, with the timeline of this convergence moving up from the next decade to the next few years. Various functions of data management—compliance, eDiscovery, records, privacy, analytics, etc.—and the different types of data—unstructured and structured data, which have traditionally been managed in isolation from one another, now require unified information management. Consider the following scenario: A data subject request his data to be deleted. Can you delete it? No, first you have to check if it’s on legal hold. Then can you delete? No, you have to check if it’s a business record. And then whether it’s needed for other compliance requirements, and so forth. These different areas have been slowly converging, but privacy regulations will necessitate them working in synergy much earlier than expected. In short, the IT architecture of today’s silos is “siloed,” and GDPR respects no silos.
What can we expect over the next couple years in terms of privacy developments?
Are there any other consequences?
While total privacy may seem like an attractive prospect for end users on the surface, it actually comes with a laundry list of unspoken implications. Perhaps most worrisome of these implications is the paradox that privacy and total intrusion are two sides of the same coin, and it’s often hard to tell which side you’re on. The fundamentals of privacy are about controlling data all across the enterprise so you can take the required action on them, and that in fact requires extreme insight into data. In other words, every individual’s information has to be completely governed and accessible in order to meet privacy regulations, and once this level of control is available we’re only a step away from several dystopian scenarios. Privacy and intrusion are only kept separate by oversight. If oversight is missing, it slips into intrusion. And as a species, have we ever been good at oversight?