The dust has now settled on the much-anticipated implementation date of GDPR – 25 May 2018. For the first time, GDPR has started to enter wider public consciousness. The notorious tsunami of emails that most people have received, requesting consent to receive marketing content and data processing, could hardly make you forget about the regulation. But now the deadline has passed, how many organisations are actually fully compliant with GDPR? How will some of the more ambiguous elements of GDPR actually work in practice? Will regulators immediately and harshly clamp down on non-compliant organisations? These are some of the things that this article will focus on.
Surveys carried out pre-GDPR certainly suggest a large number of organisations are still not fully compliant. For example, the Ponemon Institute’s April survey of over 1,000 organisations found that half of the organisations surveyed would not be compliant by the deadline. By anyone’s standards, this is a significant amount of non-compliance, especially with the threat of huge fines facing these organisations.
The vast majority of organisations are not being deliberately negligent however but are simply faced with an overwhelming task. GDPR comprises 99 articles which need to be thoroughly read and understood. Certain elements will also bring new challenges. For example, the data subject access requests allow individuals the right to request personal data along with other supplementary information. The difficulties of this arise when considering personal data may be on several different servers in a range of file formats. In addition, individuals have the right to request data in portable form, which adds another logistical challenge. Many organisations will simply not have the internal infrastructure to deliver such requests in a timely manner.
Much of the regulation is also about learning on the job. Forbes recently interviewed the Data Protection Officer (DPO) for Blackberry, David Blonder, who spoke about the challenges of his role. He mentioned the need to be flexible with employees, always using the carrot more than the stick to help them understand the importance of compliance. There is also the worry of not doing enough; GDPR compliance is always ongoing and the business community still has concerns about how the regulation will be implemented and enforced. In other words, DPOs are still feeling out how best to comply with GDPR. And it is worth mentioning that Canadian companies like Blackberry are some of the best placed to handle GDPR, with Canada’s data protection law considered ‘adequate’ by the EU.
Organisations are not the only ones still finding their feet. Many regulators are not ready to deal with GDPR’s ambiguities and expectations. A Reuters survey found that seventeen out of 24 authorities said they did not yet have the necessary funding or would initially lack the power to fulfil their GDPR duties. This is an interesting situation where the policers are incapable of policing. In the case of breach notifications, whereby organisations have to report data breaches within 72 hours to the relevant authorities, GDPR does not make it clear exactly what regulators are supposed to do next; they certainly cannot do nothing.
All these uncertainties might suggest regulators will go easy on organisations in the first stages of GDPR whilst everyone works out what is expected them, and then certain norms will be eventually established. However, sometimes regulators are forced to take action whether they like it or not. For instance, if an individual makes a data subject access request and the organisation does not respond within 30 days, the regulator would have to deal with the subsequent compliant in some way. Therefore, no assumptions should be made about leniency from regulators.
On May 25, it only took 48 minutes for the first GDPR-related challenges to come in. Max Schrems, known for campaigns against Facebook, is once again taking the social media giant on, along with Google, Instagram and WhatsApp, for the way they handle consent. He argues that those companies operate on ‘forced consent’, where users are forced to accept data agreements in order to use the service. Schrems feels this defeats the purpose of GDPR, and that users should not be blocked from services should they disagree with a data policy. Whether anything comes from these complaints will be interesting to see.
Over in America, some organisations have reacted to GDPR in an even more heavy-handed way. Several high-profile US news websites such as the Chicago Tribune and LA Times have made their websites unavailable in the EU. In other words, they would rather not face the effort of complying with GDPR. Would even larger corporations such as Facebook consider excluding the EU market should complaints get serious? It seems unlikely, but it is fascinating to see organisations doing this despite having two years to prepare. Furthermore, it opens up the economic angle to GDPR. US Commerce Secretary, Wilbur Ross, has written strongly about GDPR and its potentially negative effect on transatlantic trade, with the regulation allegedly costing American companies billions of dollars to comply. As far as the European Commission is concerned, this misses the point. GDPR is about protecting the right of individuals, not multinational corporations.
Despite varying responses to GDPR, one thing is certain: GDPR is not going anywhere. This means that your organisation has to be serious about complying with the new regulations. Kindus will take you every step of the way to ensure that your organisation does not risk facing crippling fines.
We will advise you on compliance strategies, demonstrating the best ways to make sense of such an overwhelming set of regulations. We will organise privacy impact assessments to analyse the data held within your organisation, the degree of risk to that data and the measures put in place to protect it. We will evaluate the process by which your organisation would respond to a data breach, and how you would go about limiting the damage caused. We will talk you through privacy by design and how to go about creating systems which are designed from the ground up with privacy in mind.
Do not leave GDPR to chance. Please contact Kindus today if you require assistance with any aspect of GDPR.