GDPR Turns 1: Many Companies Still Not Ready

A year after the European Union’s General Data Protection Regulation (GDPR) took effect, the question remains, are companies truly ready? The answer, as it turns out, is an equivocal ‘more or less’. One could say it is “by definition, more or less”, since the notion of “ready” or “compliant”, let alone a 100% completion percentage, does not exist in this discipline.

The GDPR enforces strict rules for businesses and most public sector agencies, to protect the personal data and privacy of consumers for transactions that occur within EU member countries. The mandate, which went into effect last May, sent organizations scrambling to get their data houses in order and had a reverberating effect internationally for any entity doing business in the EU. An Ovum report found that two-thirds of businesses expected to have to change their global business strategies to accommodate the new data privacy regulations while over half of companies surveyed anticipated fines for non-compliance.

As part of their response plans, companies have bulked up privacy teams, brought in new resources, including data protection officers, and invested on GDPR compliance, including on consulting, legal services and software. According to the International Association of Privacy Professionals (IAPP), Fortune 500 firms are spending $7.8 billion on GDPR compliance to avoid the threat of severe sanctions from EU member state regulators. The GDPR budget for the average Fortune 500 company is $16 million, the report found.

Despite the massive preparation, the IAPP survey found there is still a long road ahead. Less than half of respondents said they are fully compliant with GDPR and one in five said they believe that full compliance is impossible to measure. Making comprehensive changes to business practices was the top barrier to GDPR compliance, at 64%, in 2018 and the needle isn’t expected to have moved all that much in the year since implementation, IAPP found.

While the situation around data governance has improved since GDPR came into effect, there is uneven implementation in different member states. GDPR preparedness tends to boil down to two variables: maturity and ambition. The ambition factor relates to issues like how much a company is willing to invest in GDPR and the appetite for risk they are ready to accept. Industry is another important indicator—for example, banks and other financial institutions are typically further along the curve with compliance activities and highly sensitive to risk, whether that includes the possibility of brand damage or substantive fines.

Other industries like health care may be militant about the integrity and safety of medical test equipment but have less mature practices when it comes to the rigor of safeguarding patient data. Small and mid-size companies still tend to think – wrongly – they are low enough on the stack that there is a slight chance of exposure.

Enforcement is Happening

To date, we still haven’t seen a tidal wave of GDPR enforcement cases, though that’s likely going to change as enforcement authorities receive more resources to carry out their work. Meanwhile, there are some high-profile exceptions that should make any company remaining on the sidelines to initiate action. The most significant penalty handed out to date came in January when the French data protection authority, the National Commission on Informatics and Liberty (CNIL), fined a major tech company $57 million for not properly disclosing to users how data is collected across services like its search engine and video channel to present personalized ads. They were also cited for not providing enough information to users about its data consent policies, and in general for forcing users into a convoluted reading through unnecessary multiple levels of the privacy notice.

DLA Piper, a multinational law firm, has counted nearly 60,000 disclosed data breaches across Europe in the first eight months of GDPR implementation, led by Germany, the United Kingdom, and the United States. However, so far, there have been fewer than 100 fines issued by regulators – including a 20,000 euro fine imposed by Germany on a company for failing to hash employee passwords and a 4,800 euro fine issued in Austria for the operation of an unlawful CCTV system that was capturing a public sidewalk.

There is definitely an appetite for regulators to gently “lead” the market to compliance. However, enforcement will happen, tempered by whether the culture of a particular geographic region or industry is partial to aggressive action or prefers a more forgiving approach.

Actions Steps Going Forward

Companies behind the curve need to accelerate their GDPR readiness but stay mindful that compliance is not a tick-box exercise nor is it possible to use paper or Excel spreadsheets to stay on top of the requisite controls.

On the other hand, technology is not the panacea. As opposed to point solutions or one particular technology fix, enterprises need to take a holistic approach to compliance and in particular, target data governance practices. It’s not enough to address accountability for data—organizations need to be able to demonstrate to the satisfaction of regulators and their customers that they have the proper steps in place to handle data, and that includes specific policies and practices for cyber security.

However onerous, there is an upside to the struggle. Companies that go through the process of GDPR spring cleaning and compliance will find they have better governance, more transparency into what’s happening in the organization, and in the end, a much clearer shot at better decision making.