The news is already getting quieter around the GDPR, the general data protection regulation as issued by the European Union. Several weeks ago it has been discussed in detail in many articles, and background information has been provided by many sources, including lawyers and security experts, but in the meantime other topics have taken its place in the news.

But unlike some other topics, the GDPR won't go away by simply ignoring it. It is less than two years from now, that it will reach legally binding status as a formal law for example in Germany. Probably one of the most striking characteristics of the new regulation that is constantly underestimated is the scope of its applicability: It actually applies in all cases where the data controller or the data processor or the data subject is based in the EU. This includes all data processors (e.g. cloud service providers) or data controllers (e.g. retailers, social media, practically any organisation dealing with personally identifiable information) which are outside the EU, especially for example those in the US. They, however, seem to be gaining the lead in taking the right first steps already in comparison with European organisations.

So the GDPR will be a major game changer for a lot of customer facing services. For many organisations changing the processes, the applications and the infrastructure landscape to be compliant with the regulations of the upcoming new requirements as laid out in the GDPR will be a massive challenge.

The following image focuses just on some of the “highlights” of the European General Data Protection Regulation. But apart from this each and every organisation should review the current version of the text which goes far beyond that. It is available on the Internet, e.g here, and detailed and profound commentary is available e.g. here. My fellow analyst Dr. Karsten Kinast provided a great short wrap-up during his keynote at EIC 2016 in Munich earlier this year.


While two years sound like a long period of time actually the opposite is true. The requirements as imposed by the GDPR are at least partially substantially different from existing national data protection regulations. Every organisation has to identify, which steps are required to implement proper measures to comply to these regulations for their own processes and business models. When looking at the amount of time required to implement all changes identified, somewhat less than two years no longer appears to be overly plenty of time.

Unfortunately, especially industry associations appear not to be willing to supply adequate support or advice and often enough end up in commonplace remarks. Instead of providing appropriate guidance often the opposite is done by repeatedly praising Big Data as the basis for next generation business models. While this might nevertheless be true for some organizations, it can only be true when being compliant to the upcoming GDPR in every relevant respect.

Many important decisions will have to be left for court decisions in the end. This might turn out as a difficult challenge with only little practical advice being available as of now. But doing nothing is not an option at all.

Compliance to legal or regulatory requirements is rarely considered as a value in itself, but it is - and will be even more - a sine qua non when it comes to data protection, customer consent and privacy very soon. On the other hand: Assuring a high level of security and consumer privacy ahead of the legal requirements can be a competitive advantage. So if you have not yet started making your organisation and your business ready for the GDPR and its upcoming regulations, today might be a good day to take the first steps.