The GDPR compliance deadline has now passed. Bells did not ring. No confetti dropped. No parades celebrated the day. People who don’t work in privacy might even be forgiven for having no idea that anything important happened on May 25.

Yet, important things have indeed happened.

There will certainly be many who look ahead to this new era of data protection and privacy. These predictions of the future offer us important perspective. There is much that is still unknown under GDPR, with advisory opinions, court decisions, and (perhaps most importantly) enforcement actions yet to come. We need the collective wisdom of our profession to see the path ahead and keep us pointed in the right direction.

Today can also serve, however, as a day to look back on the work that has led to this moment and the changes that have occurred as a result of GDPR. In the middle of our efforts to prepare for this regulation, it has been too easy to lose sight of the massive evolution (revolution!) in the privacy field. So, let’s take a look back over the past few years and reflect on the significant changes that have occurred.

Here at the IAPP, we have felt change most notably in our growth. Just two weeks before the GDPR deadline, we surpassed 40,000 members in over 100 countries around the world. At the start of 2018, we had 35,000 members. At the start of 2017, we had 25,000 members. We have been adding over 1,000 members a month this year, and our pace continues unabated. Our membership growth has certainly been directly tied to the preparations for GDPR.

Now, you might think that all those new members are data protection officers (DPOs), a role mandated for many organizations under GDPR. The IAPP has conducted research that showed a need for 75,000 DPOs in the private sector around the world under this requirement. However, we know from looking at our data that our new members are coming to us from across the enterprise — engineers, marketing professionals, HR managers and information security pros are all joining the IAPP. This suggests that our field has broken the boundaries around the privacy department and extended across organizations. In other words, the GDPR has made privacy an enterprise-wide concern.

This dynamic has emerged in other ways as well. In research on the institutional response to GDPR, the IAPP found that the global FORTUNE 500 will be spending in excess of $7 billion. These expenditures were not just in legal and compliance functions, however. Much of that GDPR spend was associated with IT upgrades to ensure functionality that enabled new GDPR requirements could be met. Our data makes clear that the GDPR has changed the architecture of IT around the world.

We saw other IT developments as well. Most notably, our field has seen the rapid rise of privacy technology solutions to help organizations manage their obligations under GDPR. Anyone who has attended the Summit in the past few years has certainly seen the explosion of vendors on our show floors.  The IAPP responded to this growth by creating the Privacy Tech Vendor Report in January of 2017. This report was designed to create an inventory and categorization of the various vendors emerging in the field. The first report had under 40 companies listed. Our most recent version has over 150. Without question, the GDPR launched an entire category of tech solutions for our profession.

There are changes outside of our profession as well. I have been asked about the GDPR at my gym. I have been questioned about the GDPR at family gatherings. Indeed, it seems that all of my friends and family have had a forehead-slapping moment in the past few months where they realize, “Oh, that’s what Trevor does for a job.” This broad awareness of the privacy field should be celebrated. The media has covered GDPR extensively (IAPP leaders have been covered in the Wall Street Journal, Financial Times, and The New York Times in recent weeks) and citizens around the world have begun to understand the importance and role of privacy laws and regulations. We even found some data that suggested that the GDPR was trending higher online than Beyonce last week! 

May 25 has arrived and the privacy world has been changed forever. We have thousands of new privacy pros, with more joining every day. We have broad engagement with privacy across organizations and massive investments in privacy-related updates to IT systems. We have a new industry — privacy tech solutions — that has been built to provide better tools to manage GDPR compliance. And the public finally understands our work and the importance of privacy in our digital economy.

Waypoints like today deserve our reflection on the work that has occurred to bring about these changes. Millions of hours of effort have gone into building better accountability and management of data within organizations. We should all feel proud of that collective achievement. And maybe take a long weekend to catch a breath…

Because the GDPR era has just begun.

Photo credit: Lawrence Wang 王治钧 落地玻璃上的反光+雨幕 Reflection +rain curtain on the windows #上海 #shanghai #shanghaicity #rain #umbrella #onlyiphone #phonepic via photopin (license)