The General Data Protection Regulation, commonly known as GDPR, came into effect on May 25th, 2018. The regulation, which aims to protect the digital rights of individuals, had IT departments scrambling to prepare at a fevered pace reminiscent of the Y2K frenzy many of us remember (did I just date myself?).
But now that G-Day has come and gone, what happens now? Is GDPR done and dusted? And if not, what does that mean moving forward?
To begin to answer these questions, I’m going to address three of the biggest GDPR myths - and [spoiler alert] provide undeniable evidence that GDPR is far from over and done with…
GDPR was in May - it’s done now
As revealed in the recently published research report from Nuxeo and AIIM, GDPR After the Deadline, working towards GDPR compliance was something that many organizations only did because of their legal obligations (39%). But even though the GDPR “go-live” day has come and gone, that certainly doesn’t mean that organizations can relax when it comes to data privacy.
Managing GDPR compliance needs to be an ongoing effort, rather than a project with an end date. In fact, given that only 30% of organizations said they were fully compliant by May 25th date when GDPR went into effect, there would appear to still be a lot of work to do to even get close to full coverage.
In addition, the research shows that companies expect to receive an average of 60 subject access requests (SARs) in the first 12 months after the date at which GDPR went into effect, meaning that the new procedures that have been put in place will be well tested early on. However, the fact that these same companies expect each single SAR to cost around €4,600 suggests that these new procedures may not be as streamlined as perhaps they could be.
The hype may have calmed down about GDPR, but as time passes and more and more organizations see GDPR compliance failings, fines - and to further minimize the cost of performing SARs - GDPR should continue to be a key consideration from an ongoing data control and security standpoint.
GDPR is just for Europe
Given that the GDPR is a European-driven mandate, many non-European organizations believed, and still do, that it doesn’t apply to them-this is wrong. GDPR applies to anyone who holds information on an EU-based citizen or does business with a European organization - and that’s a lot of organizations.
Many did understand the regulation correctly though, and somewhat ironically, the average budget for GDPR projects in the US was almost 60% higher than in mainland Europe at €4.7M vs €2.8M (note the UK was the exception to this rule with an average spend of €4.4M).
This is not to suggest that European companies treat GDPR lightly, but perhaps suggests that there were stronger privacy and overall information governance procedures already in place in those territories. Only time shall tell what the overall impact of GDPR will be on European organizations, but for those in the US it appears to be the tip of the iceberg.
According to Don Elledge of Forbes, “In 2017, at least 42 U.S. states introduced 240 bills and resolutions related to cybersecurity, more than double the number the year before.” It would appear that these are not directly linked to GDPR, but more a response to various data breaches (Equifax, Uber, etc.) that have made data protection front-page news in the US. With no sign of these breaches abating in 2018, expect the trend for increased localised legislation to continue-something that GDPR aims to mitigate-in Europe at least.
GDPR is under control in our organization
As I shared earlier, around 30% of organizations believed that they’d be fully compliant by the time GDPR day came around, with a further 50% almost there. This is positive, but perhaps a little misleading.
Again, GDPR is not a point solution, rather GDPR is an ongoing project. So even if fully compliant today, an organization still needs to keep working to keep things under control. For those that are still working towards compliance, several areas of concern were highlighted-with limited confidence in organizational ability to control data privacy around:
- Shared drives (34.5%)
- Email (28%)
- 3rd party SaaS apps (30%)
Delving a little deeper into this research, weak links were identified in the ability for organizations to provide machine-readable data, respond to processing objections, and a data subject’s right to be forgotten.
This last point is particularly interesting. The Harvard Law Review of 1890 (that’s right, 1890!) coined the phrase “the right to be left alone” - a pre-digital version of the current “right to be forgotten.” It would appear that almost 130 years later, this construct is still proving hard to execute against - let’s just hope we’re not still talking about GDPR (and a lack of compliance) 130 years from now.