The buildup to the deadline for the implementation of the General Data Protection Regulation (GDPR) was significantly eventful and unpredictable as most organizations did not fully understand the complexities surrounding the regulation. However, things have rapidly changed since the deadline day and as we approach the 12 months mark since the GDPR became active, many organizations have become more aware of the requirements on their part; although some have learned harsh lessons along the way.
Now that the dust has settled, things have become significantly clearer on the part of organizations both within the EU and outside it. The following explores how things currently stand in terms of the GDPR journey and highlights the consequences of non-compliance, further requirements for GDPR compliant organizations, and also the development of similar regulations in other parts of the world.
Backlashes since the GDPR Deadline
Since the GDPR came into effect, the authorities have certainly not shied away from reprimanding organizations who failed to meet the demands of the new legislation. While a remarkable number of organizations that have dealings with user data from the EU have been quick to take drastic steps in order to become compliant with the legislation, some have however been caught lurking in the shadows.
As at December 2018, only 29% of businesses in the EU were fully compliant with the GDPR tenets. With very stiff fines associated with non-compliance with the GDPR, it begs to wonder the reason behind the casual approach towards compliance. The biggest GDPR casualty so far has been Google which was recently fined €50 million in France for lack of data and ad transparency. This is by far the largest fine against any organization since the GDPR came into effect last year.
In the past eleven months, there have been more than 60,000 data breaches reported to authorities and more than 90 organizations have been fined. Another of such businesses is a Portuguese Hospital that was fined around €400,000 after its staff used fake accounts to access patients’ data.
It’s worth pointing out that since the maximum fine supported by the GDPR is 4% of an organization’s turnover, the actual sum could potentially run into billions of dollars.
What’s next for GDPR compliant organizations?
The GDPR is designed in a way that makes it an inherent obligation on the part of organizations to be fully compliant on an ongoing basis rather than for audit purposes only. This means that if you’ve taken the important steps and actions to become GDPR compliant, the job is not done yet. This regulation essentially ensures that data remains secure from start to finish.
A recent study by Verizon, however, shows that most organizations will fall out of GDPR compliance within nine months. To avoid this and the consequent fines, the following steps should ideally help ensure ongoing compliance with GDPR for your organization.
- Create supporting GDPR governance structures by appointing someone or an organization responsible for compliance and managing the change smoothly.
- Improve GDPR awareness across the entire organization.
- Leave room for changing business needs.
- Stay proactive with changes in the industry and adopt a trusted formal information security standard like ISO 27001 if necessary.
- Consistently monitor, test, and measure the effectiveness of your GDPR compliance program.
- Keep all your steps on record as proof of your GDPR compliance.
Are organizations avoiding EU markets to avoid GDPR compliance?
Although the GDPR is an EU legislation, its claws are certainly far-reaching, even beyond the shores of the continent or Union. If your organization has dealings with EU residents and their data, this regulatory legislation definitely affects you. Due to the complex nature of the GDPR, it may appear somewhat reasonable for businesses outside the bloc without substantial dealings with EU residents to completely cut off ties with the continent.
However, are there really organizations avoiding the EU because of the GDPR? Facebook in April 2018 moved around 70% (1.5 billion) of its users’ data from Ireland to the US to avoid exposing them to the GDPR just before it came into effect. These users were from outside the EU, US and Canada. Linkedin also made a similar move in 2018 from Ireland to the US.
While many websites have completely blocked their service to EU users to avoid compliance, some have offered a reduced service void of any tracking technologies like plain text websites to users from the EU since May 2018.
Will other countries or regions develop similar data protection regulations?
Like most countries and regions, the EU has always had agelong data protection laws but the GDPR was designed to cater to the digital era and also more protection for consumers. The question here is, will other blocs or nations adopt the GDPR or develop similar legislation to cater for the digital needs of consumers?
While other countries will typically develop legislation similar to the GDPR, the chances of any of them adopting it verbatim are pretty low since they all have diverse needs. Nevertheless, many countries have continued to evolve their existing legislation or create new ones that are compatible with the GDPR. Japan for instance recently passed a new data protection law that’s compatible with the GDPR.
Lawmakers in the US have also recently started working on a comprehensive data protection legislation at the Federal level instead of the state by state options currently available across the Union. Brazil has also adopted similar legislation which it aims to implement by 2020.
GDPR is definitely here to stay and organizations will need to do more to ensure that ongoing compliance is achieved especially across new data pools as well as existing channels. Whether other countries adopt this legislation or not, the evolution of data over the past few decades means that most countries will eventually develop regulations similar to or compatible with the GDPR.
Remaining proactive and responsive to new threats will certainly help put organizations worldwide on the forefront in the quest to maintaining GDPR compliance at all times.