It seems, however, that neither business nor regulators are ready.
The General Data Protection Regulation (GDPR) came into force on May 25th, but it seems that many companies are either still not ready, or worse, have barely started taking the necessary action, despite the vast amount of information that has been available over the last two years.
It would have been expected that two years would have been plenty of time to prepare, and, yes, some companies are ready, but just as in every other area of life there are people who get things done early, and those who view a deadline as the time to start.
In fact a poll of more than 500 businesses commissioned by London Chamber of Commerce and Industry (LCCI) in January found that, with just months to go, of those business decision-makers who believe that the GDPR will affect them, just 16% said their business is prepared for it, while 21% said their business would like to prepare for the GDPR, but needs to find out more about it.
The data supports a survey of over 1,000 companies conducted by the Ponemon Institute in April, when half the companies surveyed said they won’t be compliant by the deadline. When broken down by industry, 60 percent of tech companies said they weren’t ready, with many scientists and data managers seeming to doubt that absolute compliance is even possible.
There is another problem, many of the regulators who will police the new regulation say they aren’t ready yet either!
The pan-EU law won’t be overseen by a single authority but instead by a patchwork of national and regional watchdogs across the 28-nation bloc. Seventeen of 24 authorities who responded to a Reuters survey said they did not yet have the necessary funding, or would initially lack the powers, to fulfil their GDPR duties.
“We’ve realized that our resources were insufficient to cope with the new missions given by the GDPR,” Isabelle Falque-Pierrotin, president of France’s CNIL data privacy watchdog, said in an interview. She, like some other regulators, was pressing her government for a substantial increase in resources and staff.
So although the penalties for non-compliance are stiff, GDPR can allow regulators to fine companies up to 4 percent of their global revenue for serious violations, how it will all work is not clear. How it actually works in practice will be up to what the regulators do with it. Eventually, norms will emerge: who the regulators will go after, what kind of penalties they’ll levy for what kind of behaviour, and how much of that 4 percent of global revenue they’ll extract from offenders.
The breach notification part of the regulations will add even more pressure, because although companies are required to notify a breach to a relevant data protection authority within 72 hours of discovery, it seems that regulators may not be ready to audit a company’s security, or figure out exactly what to do to protect EU residents affected by the breach. They have to do something, and may have some flexibility on how to respond, but the GDPR won’t allow them to do nothing.
The general assumption has been that when the deadline hits, European regulators will treat it as a soft opening, going easy on companies for a honeymoon period while everyone figures out how the law is going to work.
So if you are one of the many not yet ready, you are not alone, but it is important to make a start by thinking about what data your business holds, how you use it and how it is stored.
Basically the new regulations are part of an EU wide directive which demands greater accountability and transparency from organisations about how they collect, process and store personal information, and will be easier for businesses who are already compliant with existing data protection regulations, despite new rights for data subjects.
The new rights give the right to transparency for data subjects about what data is being collected on them and why. The old idea of collecting as much data on people as possible, and seeing how to use it later, will no longer be acceptable. Data subjects will now have the right to access the data held on them, to amend or correct it where necessary, to know how it will be used or is being used and to have it deleted altogether if appropriate.
GDPR is only supposed to apply to the EU and EU residents, but because so many companies do business in Europe, industries across the world are hurrying to become GDPR compliant.
The hope is that as companies and regulatory bodies settle into the flow of things, the heightened privacy protections of GDPR will become business as usual. In the meantime, it’s just a mad scramble to keep up.