Is your company prepared for the EU’s General Data Protection Regulation (GDPR), which went into effect on May 25? Do your executives even think you need to be?
For many companies, the answers are no and no — and that’s worrying.
From a preparedness perspective, the news has been, and continues to be, bad. In May of 2017, Gartner warned that up to 50 percent of companies affected by the mandate would not be in full compliance by the end of 2018. A recent SAS survey confirmed the lack of progress. In April, SAS reported that just 46 percent of the global organizations surveyed indicated they would be in full compliance by the deadline, with only 30 percent of U.S.-based businesses and 53 percent of EU businesses saying they expected to be ready.
Even more disturbing is the lack of understanding of the potential impact of this legislation. In its 2017 risk-value report (registration required), NTT Security found on average, only 40 percent of organizations globally believe they will be affected by GDPR, with 75 percent of respondents from U.S. businesses and 61 percent of U.K. respondents saying their companies would not be affected. Moreover, the SAS survey found 64 percent of U.S. businesses today were either indifferent to or unaware of the impacts of GDPR. The EU and U.K. fared better on awareness, with 67 percent of respondents from the EU and 70 percent from the U.K. indicating they do understand the implications.
Regardless of location, thinking the GDPR will not impact your business is a mistake for several reasons. First, while the regulation is targeted at protecting residents of the EU, it does have global reach: Any company that stores personal data on people residing in the EU will be directly affected. And the impact may well be more substantial than people understand. A survey of CIOs of large companies conducted by Vanson Bourne on behalf of Compuware found 52 percent of U.S. companies possess data on EU citizens, making them legally subject to GDPR mandates. The number goes even higher if you add the number of U.S. ex-pats who reside in Europe but are still customers of U.S. companies — perhaps because they own homes in the U.S. or have U.S. bank accounts and credit cards, for example.
Related Article: What Marketers Should Know About the GDPR
Consumer Expectations Will Play a Big Role
And then there are consumer expectations. Even if the application of GDPR outside the EU takes some time, there is plenty of evidence people are ready to exercise their rights under the mandate wherever and whenever they can.
A SAS poll of U.K. adults highlighted just how ready people are to take control of their personal data. Almost half of the respondents said that they plan to exercise these rights, and they are educated on exactly what these rights will be. Here are some of the findings:
- 64 percent said they welcomed the “right to access” (e.g. get a copy of personal data held about them).
- 62 percent said they welcomed the “right to erasure” (e.g. request their personal data be erased from certain systems).
- 59 percent said they welcomed the “right to rectification.” (In other words, if their personal data is inaccurate or incomplete, they can ask for it to be corrected.)
- 56 percent said they welcomed the “right to object” to the way their data is used for marketing and profiling purposes.
- 54 percent said they welcomed the “right to restrict processing” of their data if they contest the accuracy of data, and for other reasons.
- 43 percent said they welcomed “rights in relation to automated decision-making and profiling.” (In other words, they have the right to seek human intervention if they disagree with an automated decision.)
The saga of Facebook and Cambridge Analytica is a prime example of the power of consumer expectations to extend the reach of regulations like the GDPR.
On May 2, less than two months after the magnitude of Cambridge Analytica’s data misuse came to light, the New York Times reported Cambridge Analytica was forced to file bankruptcy in the United States and Britain because “the controversy had driven away virtually all of the company’s customers.”
For its part, Facebook by late May had seen its market value plunge by almost $100 billion from its peak on Feb. 2 (it has since recovered much of that loss). The company is facing lawsuits from more than 37 different states centering around data misuse, and the Federal Trade Commission is conducting an investigation that could result in up to $2 trillion in fines.
For both Cambridge Analytica and Facebook, these consequences are arguably as significant as they might have been had the companies come under the direct auspices of the GDPR.
Related Article: What the GDPR Means for Your Organization
Companies Initiating Protections — Even if They Don’t Have To
There is, however, some positive movement around data privacy and protection emerging amid all the bad news.
Facebook has announced it will comply with the GDPR (whether it is compelled to do so or not) and has introduced tools to allow users to see exactly what data apps are collecting. It has notified all users whose data was sent to Cambridge Analytica. It is actively working with app developers who do obtain data to ensure conformance to consent and data use regulations, and it has provided a mechanism to allow users to opt out of receiving ads targeted via analysis of personal data.
There is other evidence companies are starting to take notice as well. In the past several weeks, I have received more than 50 emails (I stopped counting at 50) from companies across a broad cross-section of industries, ranging from social media and online publishing ventures to makers of fitness trackers and adventure travel companies. While different in form, the emails have a single common thread: They all announce updated privacy policies, and most publish a pretty detailed set of new policies to explore, the more comprehensive of which cover topics such as these:
- The types of personal data we collect about you and what we use it for.
- The lawful grounds for the processing of your personal data, and how long we keep it.
- Our information security policies and how we protect your data.
- Third parties with whom we share data.
- Your rights in respect of your personal data, with information on how to exercise those rights.
Efforts such as those represent a good first step, I believe.
Bottom line? Take a hard look at the protections enacted by the GDPR because, like it or not, they will apply to you one day. And that day may come sooner than you think.