Tomorrow is the deadline for complying with the General Data Protection Regulation (GDPR). If you’re not ready, don’t worry, neither are most of the regulators.
The GDPR was adopted by the EU in 2016. It gave companies 24 months, until May 25 of this year, to be compliant with the data collection and protection law. However, due to the confusing language in the regulation, few firms have been able to even fully understand what the requirements actually are. In fact, even the regulators aren’t prepared, according to a Reuters survey.
Seventeen of 24 regulatory bodies told Reuters they aren’t ready to fulfill their responsibilities under the GDPR, either due to inadequate resources or because local governments haven’t updated their own laws to match the EU-wide regulation.
Of course, if regulators aren’t ready to fill their role under the GDPR, consumers will be unable to fully embrace the regulation as well. If an EU citizen requests the data a company has collected on them and the firm is unable to comply within the 30-day deadline, the citizen can file a complaint with their local regulator. But if the regulator is understaffed or underfunded, they simply won’t be able to follow through on the complaint.
Furthermore, even for businesses that are on track for compliance, there could be problems on the regulators’ side. While there is a strict requirement for organizations to report a data breach within 72 hours of discovery, there are no hard rules for how regulators are supposed to respond to these notices.
It’s a catch 22 for everyone involved right now, but what does this mean for you and your business?
Being GDPR Ready
First, you still need to focus on compliance. Make sure the appropriate notices and requests for clear consent are in place for the gathering, use, and storage of personal data. Make sure you’re ready to respond to data requests of all kinds, report data breaches, and that your use of personal data falls within the lawful use requirements of the regulation.
Second, think about how the GDPR is going to affect your internal and external business efforts. Marketing and sales are going to change depending on where your business is located and if your target audience is within the EU. And internal operations are going to be impacted as well, especially for organizations located in the EU. Have you thought about how the GDPR is going to affect how you handle employee data? Is your IAM strategy set up to handle internal data requests? Do you collect more personal data on your employees than necessary? These issues are also going to arise over the next few weeks, so you might need to start working to update your IAM platform as well.
What About the GDPR Fines?
The main question on the mind of anyone managing GDPR compliance, however, is if they are going to be hit with a fine come May 25th? According to Sarah Jeong at The Verge, the general thinking is regulators will go soft on organizations at first. “European regulators will treat it as a soft opening, going easy on companies for a honeymoon period while everyone figures out how the law is going to work. But regulators can’t entirely control what’s going to happen on May 25th because parts of the GDPR are user-driven.”
Becoming compliant with the EU rules now is a good move even if, for some reason, you don’t do business in Europe. In April, US Sens. Amy Klobuchar (D-MN) and John Kennedy (R-LA) introduced a bill that would bring GDPR-like data regulations to the United States. The “Social Media Privacy Protection and Consumer Rights Act of 2018” includes requiring companies to provide users with any data collected on them upon request, informing them how the data is collected, who has access to it, and also mandates a 72-hour window for data breach announcements.
The takeaway: If this bill becomes law GDPR will become the de facto global standard, so it’s in your best interests to become compliant ASAP – maybe even before the regulators are ready to check up on you.