Many companies, large and small, are scrambling with last-minute preparations for compliance with the European Union’s General Data Protection Regulation (GDPR), which goes into effect May 25, 2018. This is because If they don’t comply, they face fines of up to 4 percent of a company’s worldwide revenue for serious infractions or $20 million euros – whichever is higher.
A recent IAPP survey of U.S. and European companies carried out by the Pokémon Institute has revealed that only 52 percent of companies expect to achieve compliance by the deadline and that 40 percent of companies are likely to achieve GDPR compliance after May 25, 2018. The remainder 8 percent of companies were not sure when they will achieve compliance. For 83 percent of the responding companies, preparing for data breach notification, the most significant new requirement of the regulation, is viewed as the most difficult obligation to achieve by the deadline. With 68 percent indicating an inability to comply with the notification requirement is what poses the greatest difficulty and biggest risk to their companies. If nothing else, this survey shows the extensive work that must be done for GDPR readiness, and the demanding nature of GDPR, as well as, the anxiety around complying with it. The survey shows that companies are spending large amounts to achieve GDPR compliance. The average annual budget for compliance is $13 million – a figure that one in three companies expects to review annually.
And one trend is becoming common: 70 percent of organizations say they are disposing of data in advance of GDPR, and 80 percent are reducing the amount of personal data they plan to keep, according to the IBM survey.
Industry sector and company size are important factors in GDPR readiness. Financial service organizations report the highest readiness level, followed by companies in technology and software and energy and utilities. In contrast, companies in retail, industrial manufacturing, and services report the lowest readiness level.
Smaller companies and very large companies see themselves as less likely to be in compliance with GDPR by the effective date than do mid-size companies. Smaller-sized organizations report the lowest readiness level, while companies with 5,000 to 25,000 employees report the highest readiness level. Large companies with more than 25,000 employees have a lower level of readiness than middle-sized organizations.
Companies such as Facebook that rely heavily on user data collection and analysis have taken steps to minimize the damage. In a tweak to its terms and conditions before the law goes into effect, Facebook is shifting responsibility for all users outside the U.S., Canada, and the Eurpean Union — some $1.5 billion — from its international headquarters in Ireland to its main offices in Menlo Park, California. Ostensibly, those users will be governed by U.S. law rather than Irish law.
Facebook has been particularly vigilant of late on data security, after it was revealed that data belonging to 87 million of its members was harvested by political consultancy Cambridge Analytica, which worked on Donald Trump’s 2016 presidential election campaign. Earlier this week, Facebook announced the deletion of hundreds of million pieces of spam, fake accounts, hate speech, nudity, violent content, and terrorist content.
GDPR enacts sweeping regulations when it comes to processing personal data. In order to qualify what data is and is not subject to GDPR, every organization should fully understand the nature of all their data. Organizations with complex data needs are scrambling to comply due to GDPR’s stringent requirements. For example, organizations collecting uncategorized voice or video footage of individual citizens would have an extremely difficult time complying with Article 17 of GDPR, the right to erasure (or “right to be forgotten”) cases, in which they need to locate and delete all identifiable data pertaining to a particular person. This isn’t a rare circumstance — according to International Data Group, unstructured data is growing 62 percent per year.
So how strict will regulators be in cases where technical limits inhibit compliance? What will they consider “identifiable?” Time will tell, but my prediction is there will need to be a reckoning between GDPR requirements and the reality of today’s technical capabilities when it comes to data management and security.
In the meantime, instead of obsessing over the impossibilities and maybes, focus on what you can control: understanding your data deeply — what it is, where it is, where it’s going and what its limitations are. Only by getting to know your data better than ever will you be as equipped as possible — not only for GDPR compliance and avoiding unprecedented fines but also for innovating with your data faster and more securely.