Coming towards the end of the year is always a good time to look back and see what has worked and what hasn't. Over the past two years, one of the most difficult areas of enterprise technology management has been around GDPR and how to comply with it.

GDPR is a regulation in EU law on data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

What has been problematic for many enterprises, however, is that every organization working in the European Union must comply with this regulation. This means that all the big US tech companies have to comply, as do any other company that wishes to do business in any of the 28 countries that make up the EU.

At the heart of this, is the fact that the monitoring of customer and employee data privacy has always been important, especially for industry sectors that need to comply with the many privacy regimes that already exist globally, like the HIPAA (Health Insurance Portability and Accountability Act of 1996). So how have organizations being faring? Redwood City, Calif.-based Talend has just released research (registration required) into this very subject.

Among other things, it found that 58 percent of businesses still failed to comply with GDPR requirements when faced with requests of personal data. While this number is down from 70% after Talend’s latest test of companies a year ago, this is still a majority issue. The research also found that:

  • Only 20% of companies verified identification before providing personal data
  • Public sector and media/telco industries are the worst offenders with only 32% and 29% compliance rates respectively
  • 32% of companies who failed in 2019 achieved compliance in 2019
  • The average company provides personal data from requests after 16 days

In terms of compliance, the research found that:

  • Only 29% of the public sector organizations surveyed could provide the data within the one-month limit. In the media and telecommunications industries; only 32% reported that they could provide the correct data on time.
  • Retail, financial services, travel, transport and hospitality are average. Compared to last year, retail companies improved their success rate with 46% of such companies reporting they provided correct responses within the one-month limit.
  • The lack of automation in processing requests is one of the main reasons companies failed to comply was the lack of a consolidated view of data and clear internal ownership over pieces of data.
  • ID proof and requesting process should be improved. The research also highlights the lack of an ID check during the data request process of the individual requesting data. Overall, only 20% of the organizations surveyed asked for proof of identification.

Data Privacy as a Differentiator

If there are problems, though, US companies are moving slowly towards better, if not complete, compliance. Todd Wright, is head of data privacy solutions at SAS. He explained that compliance goes beyond the threat of fines by the EU. “Organizations have been very motivated in the United States to meet the GDPR regulations, but it goes even beyond the fines from the EU authorities,” he said.

The US organizations, he added, have used the GDPR as the de-facto guide to ensure data privacy with the understanding in mind that the California Consumer Privacy Act will be enforced come January 2020 and then their customers will have a greater understanding and awareness of data privacy than ever before. “It can been heard loud and clear from companies like Apple that now advertise privacy and taking care of your customer’s data as a brand differential,” he said.

Related Article: GDPR: What You Need to Know About the Right to Erasure

The Push For Personalization

Toronto-based Taplytics is a customer experience optimization company. Aaron Glazer, their co-founder and CEO, said that they are seeing more U.S. companies than ever looking to proactively safeguard consumers from common privacy issues and concerns in the face of GDPR and other pending regulations like the CCPA — even when those regulations don’t directly apply to them. Some of them are looking to self-regulate so that the government doesn’t do it for them, but most are doing it because they take their customers’ privacy extremely seriously “As the demand for 'personalized everything' grows, these organizations want to personalize customer experiences at scale, while also guaranteeing privacy,” he said.

Learning Opportunities

These two things appear at odds, but enterprises that house mass amounts of consumer data are often taking major steps to protect that data, such as migrating it away from the cloud and back to on-premises storage. This allows them access to the benefits of big data, while adding in a major layer of protection against common external threats.

Related Article: What Marketers Need to Know About CCPA ... Before It's Too Late

Rules of Engagement

Though GDPR guidelines don’t affect every US company — and are not necessarily at odds with personalization — they do introduce respectful rules of engagement that not all companies follow when working with consumers. US enterprises are choosing to integrate the philosophy behind regulations like GDPR into their own internal personalization and privacy strategies, and building from there, rather than being caught off guard as growing adoption of these types of regulations reach their industry or state.

In the next year or so with CCPA going into effect January 2020, there will be more organizations getting hit with fines as a result of failing to meet regulations and that will be the turning point for not only for CCPA but also GDPR adherence, Tara Combs, information governance specialist at Boston-based Alfresco.

A key challenge now is that many organizations have not been able to get a handle on the volume of customer information they’re responsible for. The volume can no longer be properly managed manually. While artificial intelligence hasn’t been widely adopted yet, that will change in the next year and we’ll see AI start to drastically improve in identifying PII and placing it under information governance. AI technology is definitely needed to effectively identify customer information and classify the type of PII in unstructured data.

“The main challenge with GDPR compliance relates to unstructured data, and organizations not understanding where it lives, human error within information management and poor adoption of proper practices of managing content with PII,” she said. Effective solutions will remove much of the human interference, automating processes through the data’s entire lifecycle, and will simplify the manual tasks to help speed identification and adoption.