During May 2018, as its deadline inched closer, Google searches in the United States for information around General Data Protection Regulation (known as GDPR) topped separate searches for Kim Kardashian and Beyoncé, according to the European Commission.
It’s further evidence that “Keeping Up with the General Data Protection Regulation,” was on the minds of many then, and that figuring out how to avoid paying the “Bills, Bills, Bills” associated with noncompliance was of course a huge priority.
Those Google searches give us some clues to something that became increasingly clear in the weeks leading up to the European law’s implementation – that organizations were not ready for it. More than half of the US and European companies surveyed in the IAPP-EY Annual Governance Report 2018 who were subject to the regulations said they were far from compliance or would never comply. They named some of the hardest aspects of compliance as the right to be forgotten, fulfilling data subjects access requests, and getting explicit consent from users – with US companies reporting higher difficulty scores, according to coverage in Corporate Counsel.
May 25 will mark the one-year anniversary of the European regulation, one of the main aims of which was to “empower people and give them more control over one of the most valuable resources in modern economy – their data,” according to the European Commission. As we approach the one-year mark, both the law’s impact and its adoption is somewhat of a mixed bag.
According to Slate coverage, year one of GDPR’s effect should be considered as “a transition year,” Mathias Moulin, the head of France’s data protection authority (the CNIL) told listeners at a March 2019 London-based IAPP panel aimed at taking stock of the GDPR landscape.
According to the Slate reporting, nearly 60,000 breaches were reported during the first eight months of the GDPR – data Slate covered from a survey released last month by law firm DLA Piper. And during the first nine months, total penalties imposed under the statute added up to €55,955,871 (about US $62,900,554).
But struggles to comply remain. Last year, the law firm McDermott, Will & Emery conducted a survey on readiness with the Ponemon Institute. Respondents named the need to make “comprehensive changes in business practices,” as the top barrier to GDPR compliance. Taking a fresh look at those results as it prepared to role out another survey, the firm recently participated in an IAPP panel discussion in Boston on how GDPR implementation has played out, according to IAPP coverage. McDermott Will & Emery partner Mark Schreiber, who leads the firm’s Global Privacy and Cybersecurity practice, said that they expect the same concern to be top of mind when they conduct the survey again this year.
“We still have too little time and it’s a year later,” Schreiber is quoted as saying in the IAPP coverage of the event. “We expect 50 percent of covered companies are still in the process of GDPR compliance and it will likely go on for another couple of years.”
That hesitancy rings true in other surveys of privacy professionals, who named “adapting to an increasingly volatile regulatory environment,” as their top priority in a recent Gartner survey. Just four in 10 indicated that they were confident in their current abilities to keep pace with new requirements.
“Strategic and regulatory flexibility will be critical to the success of privacy functions this year,” Brian Lee, managing vice president for Gartner, said in a press release. “Organizations still feeling the full force of complying with Europe’s General Data Protection Regulation (GDPR) are now being asked to adapt to additional regulatory requirements, which can impact both short- and long-term strategy. This is especially important, as regulators and customers alike have made it clear that there is no longer a grace period for companies getting their privacy priorities in order.”
As privacy professionals wrap up year one, the IAPP has some comprehensive resources available on the topic, including this post covering benchmarking data, as well as a webcast on the topic, “GDPR: Where Are We Now?”
Interestingly, many of our Compliance Intelligence customers are finding reassurance in the definition and guidance that GDPR provides. Specifically, under GDPR Article 6, there is a legal basis for processing based on preventing fraud, and protecting the legitimate interests of the data controller or a third party. Recital 47 states “The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.” For Usage Intelligence customers, legitimate interests as a legal basis (the use of data to improve products) means that consent is not required. Of course, they still need to address the fairness and transparency principle, in which you must include the legal basis in your privacy notice, state if it’s being shared with a third party, and that the processing may occur in the United States.
Despite larger challenges, our prediction for customers from almost a year ago appears accurate: “GDPR compliance isn’t as complex as it may seem – and it can easily be accomplished without disrupting your business practices and the value you’ve realized from leveraging data for insight-driven revenue recovery and product development.”
Share your GDPR questions in the comments section below – we would love to hear your thoughts on the first year of GDPR, too.