Following four years of preparation and debate, GDPR was approved by the European Parliament in April 2016, the official texts and regulation of the directive were then published in all of the official languages of the EU in May 2016. The legislation came into force across the European Union on May 25, 2018.
The parliament warned that any company doing business in a European country and used personal data of EU citizens, no matter where that company was headquartered, would have to comply with the regulation.
But here we are 16 months after it was enacted, and seven years since it was first mooted, and numerous research reports indicate that enterprises across the world are still struggling to comply with the new rules.
Reported Data Breaches
The most recent research, published earlier this month, was a study commissioned by international law firm McDermott Will & Emery and conducted by the Ponemon Institute. The study showed that almost 50% of respondents experienced at least one personal data breach that was required to be reported under GDPR in the last year.
There were other striking findings in the 68-page report, Keeping Pace in the GDPR Race, the most notable:
- One-quarter of respondents on average in all countries say their readiness and confidence to respond to a GDPR data breach is very low.
- Only 18% of organizations were highly confident in their ability to communicate a reportable data breach to the relevant regulator(s) within 72 hours of awareness.
- Nearly half (49%) of Chinese respondents and more than one-third (36%) of Japanese respondents subject to GDPR are still not familiar with this regulation.
The report notes that although companies report making significant investments in compliance, there are still risks around their ability to prevent — and then also respond to — data breaches. Almost half of the respondents experienced at least one personal data breach that was required to be reported under the GDPR. Less than that (39% of US companies and 45% of EU companies) reported a personal data breach to a regulator.
Related Article: GDPR: What You Need to Know About the Right to Erasure
Data Across Jurisdictions
So what's happening in enterprises? Why are they struggling with GDPR? Linda Hamilton, compliance officer and cyber operations manager at Proven Data, pointed out that as the GDPR brought in global mandates of data security regulations, one of the biggest problems for many international businesses is determining how their organizations will be compliant in relation to the new regulation.
“One of the largest challenges facing the security community is having businesses across many different jurisdictions follow suit to a congruent set of rules and regulations. Because of differences in attitude towards cybersecurity and the culture around data privacy, certain demographics and regions around the world are still warming up to the idea of the GDPR,’ she said.
As data moves more frequently across international borders (more often than actual, physical human beings) companies that conduct business on an international scale face adversity in complying with growing cyber compliances.
Right Staff For The Job
Another contributing factor in enterprises failing to adhere with GDPR regulations is their inability to properly implement staffing and resources set forth by the legislation. With more attention to data security, these businesses now have to restructure and hire new talent dedicated to the cybersecurity goals of the enterprise. For larger organizations, this could take months upon years to actually apply to their current operations.
“As more governments around the world set forth their own data protection laws (like the GDPR) we suspect there will be more attention and effort by these enterprise businesses to stay compliant with regulations,” she added.
Related Article: What We Can Learn From the GDPR's First Fines
More Than a Technology Issue
The difficulty is not just tied to technology, but is rooted in a couple of other things, according to John Hernandez, CEO at Selligent Marketing Cloud. Those things include:
1. Nuances in Regulatory Laws Across Regions
Hernandez pointed out that for brands you can be compliant with GDPR, but not with other regulations, like the California Consumer Privacy Act (CCPA) and Canada’s Anti-Spam Legislation (CASL). To find a data approach that maintains some consistency yet is across-the-board compliant is tough and even more so to future-proof data strategies for regulations that haven't been enacted yet.
2. Overwhelming Amount of Data
The second challenge really is the data itself. There's just so much of it, so again, it feels like a momentous undertaking to revisit, restructure and re-execute data strategies that meet regulatory requirements. It's often hard to even know where to start. “This is the reason why when we work with brands, we recommend starting from their overall business objectives. Understanding what the brand is trying to learn from their data set and what benefit those lessons have for the business and their end consumers is crucial,” he said.
The next step is to work backwards to develop data strategies that make sense to achieve those goals and that are attainable. One thing is clear, transparency and how being clear on how the information a brand is requesting will benefit consumers is key to keeping trust and loyalty.
Not a Universal Problem
Christopher Hart, an attorney at Foley Hoag, said that the problem may be widespread, but it is not universal. There are those enterprises that are aware of the possible need for compliance and those enterprises that have not really considered the question but then discover belatedly or reluctantly that they need to comply.
Then there are those companies that have very sophisticated privacy practices and are incredibly knowledgeable about the GDPR as well as the wide range of various privacy laws and regulations. “I think this hits on a key issue — privacy needs have exploded very recently. Before the GDPR, privacy in US businesses that are not already heavily regulated (e.g., healthcare companies or financial companies) had the seeming (although not actual) luxury of being able to put privacy issues, which can be resource-intensive, at or near the bottom of the list," said Hart.
“The GDPR and its follow-on/copycat legislation have made that stance increasingly untenable, both as a compliance and liability matter and as a market and business matter. But the sense that other risks require more immediate attention, or that privacy is a risk that can be cabined — these thoughts seem to persist,” he added.
Another aspect is that companies will also make compliance risk/benefits assessments, such that in the GDPR context, even if they do some business in the EU, they might determine that the risk of compliance or lawsuit liability is low compared to the cost of compliance, making doing anything further not sensible from a business perspective.
The bottom line, he added, is that GDPR and the way it talks about and treats privacy is not intuitive to people used to thinking about how privacy works in the US, and until laws like the CCPA become more common, or the vocabulary and grammar of such laws becomes more commonly heard and used, that lack of an intuitive feel might continue to hinder understanding and compliance.
If GDPR is not working for some companies, what should they do to develop a successful strategy? Todd Wright, head of data privacy solutions at SAS, argues that similar to many failed data governance efforts, companies are making the major mistake of thinking that a privacy program should be dealt with exclusively by the IT department. Technology is just one component of becoming compliant with GDPR, and it is a late stage one at that.
Wright said GDPR success at companies have these things in common:
- A data governance program already established that is business led and IT involved.
- The understanding that data privacy should be a component of data governance, not a separate initiative.
- Data privacy by design (not default) in all areas of thought and execution. This means every process, business goal and action should have data privacy designed within it — and not as a secondary objective to be dealt with after the fact.
- A clear understanding of where their customer’s data may reside and the ability to access it.
- Data lineage and metadata management capabilities that form the basis of understanding for their data and its connections.