Greetings from Brussels!

And here we are, the last Europe Digest of 2018, and what a year it has been for privacy pros. It was a year of reckoning for Europe. The EU General Data Protection Regulation finally became applicable and enforceable — arguably one of the more significant pieces of European legislation to hit the slate in recent years, but much more, its reach and influence beyond the borders of the EU are being felt around the world.

I was asked a couple of days ago by a journalist how I thought the GDPR would evolve for Europe and beyond. Well, in the post-GDPR environment and six months on from 25 May, we have already seen some substantial breach reporting from organizations. I think this is a positive sign overall; it shows that organizations are taking their data protection responsibilities seriously, perhaps more so than before. We saw some household brands announce breaches of varying degree: Facebook, Ticketmaster, British Airways, Quora and Marriott Hotels to name some of the heavyweights. Let’s also recognize the metamorphosis of the national EU data protection authorities; the GDPR has brought with it substantial enforcement powers transforming the DPAs into bona fide forces on the industry scene. Growing in their ability to facilitate and enforce a GDPR (privacy) culture, this, in turn, has driven the perpetual need for data protection examination and adherence. The GDPR is here to stay, and as it goes more mainstream, organizations have notably started to accept and embrace it. The regulation is much more than mere compliance, as organizations try to articulate — culturally — how they can look to the GDPR strategically, from a business-enablement standpoint. I think this trend will continue.

The GDPR also gave birth to the European Data Protection Board. As reported by Jed Bracy for The Privacy Advisor back in September, with this new EU-wide regulatory body taking shape every day, European data governance will only grow in stature. At the inaugural IAPP Deutschland conference in Munich, the EDPB’s Isabelle Vereecken said, “the law is moving from the theory to the practice, it’s a good time to be in data protection law.” That pretty much sums it up.

Fundamentally, and this has been a catalytic aspect, the GDPR has elevated the field of data protection to one of strategic consideration for organizations particularly in an increasingly digital world. The digital economy in all its complexity, in turn, has given a new impetus to technological innovation with a new and growing industry niche in data protection management solutions. Moreover, the requirement for the appointment of a data protection officer function — under the new regime — remains pivotal, enabling continued validation of the growing privacy profession. In many respects, and from an organizational perspective, the role of a DPO and/or DPO team gives additional strategic definition to data protection as a field, which may not have been the case previously.

And finally, where art thou ePrivacy Regulation? Supposedly — and ambitiously — it was set to come into force alongside its big sister, the GDPR. All the evidence now suggests it will not be finalized before the European elections in May 2019. A lack of consensus was acknowledged in a Council of Ministers December progress report. Without going into detail, the Austrian presidency has removed several provisions and is working with the member delegations to revise other articles and provisions with a general view to streamlining and reducing the burden on both end users and businesses. The ePrivacy reforms cannot be finalized until the Council of Ministers and the European Parliament agree on the wording and formally vote to approve the new legislation. In short, we have time.

All said, and on behalf of all us at the IAPP, I want wish you all much festive cheer and a splendid end to the year! See you in 2019.