The deadline for compliance with the General Data Protection Regulation (GDPR) is coming up fast. Says the European Union: “Enforcement date: 25 May 2018 – at which time those organizations in non-compliance may face heavy fines.”
Bad news: Companies aren’t ready. Neither are regulators. Remember that the GDPR doesn’t only apply to European entities, says the regulation. “The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
And the penalties are stiff: Organizations can be fined up to 4% of annual global revenue, with a cap of €20 million. Ouch.
So what’s the problem? There are many provisions in the GDPR, ranging from putting people in charge of collection of their personal data, and allowing them to see, change, and delete their data. That requires lots of new technology – and security on that technology. GDPR requires rapid notification of breaches, which also means new technology and staffing in the security operations center. And that doesn’t even get into all the legal stuff, such as changing privacy policies and disclosure agreements.
Making matters worse: The GDPR tells companies what they must do. It doesn’t tell them how to do it. It’s a regulation, not a framework or how-to guide. That leads to the challenge, not only for companies, but also for government entities charged with GDPR enforcement.
First, companies. In CSO’s story, “GDPR is coming, and many organizations aren’t ready,” we read, “With only a few months until the regulation goes into effect, only 11 percent of those surveyed say they are completely prepared and only 33 percent say their incident response plan meets the GDPR requirement for breach disclosure in 72 hours.”
More specifically: “While 11 percent of organizations are completely prepared for GDPR (i.e. would be ready if it went into effect tomorrow), 33 percent say they are mostly prepared (i.e. most work done but some tasks left to accomplish), and 44 percent claim they are somewhat prepared (i.e. organization has identified all the steps to meet the GDPR deadline but are early in the process of completing all tasks).”
On the regulator side, there are issues as well. As Reuters reported in its story, “European regulators: We’re not ready for new privacy law,” the GDPR is overseen by a patchwork of national and regional organizations. And, “Seventeen of 24 authorities who responded to a Reuters survey said they did not yet have the necessary funding, or would initially lack the powers, to fulfill their GDPR duties.”
According to Reuters, some governments have yet to update their laws to include the Europe-wide rules, a process that could take several months after GDPR takes effect on May 25. In the mean time, “Most respondents said they would react to complaints and investigate them on merit. A minority said they would proactively investigate whether companies were complying and sanction the most glaring violations.”
GDPR. It’s coming, ready or not. It looks like many affected entities fall into the “not” category.