Based on what we’ve learned helping our clients prepare, there’s a lot of work left to do. Here are five key insights from the field in the post-deadline world.
1. Readiness is a journey, not a destination.
How many companies are ready? Gartner predicts that by the end of the year, more than 50 percent of companies affected by the GDPR won’t be fully compliant. A Deloitte survey paints a bleaker picture: Only 15% expect to be fully compliant, with 62% opting to set up a good, risk-based defense, and the remaining 23% setting the bar even lower.
The nature of the GDPR means that even US companies with no physical presence in the EU are subject to GDPR regulation. However, working with clients and learning from our networks, it appears that a lot of firms didn’t even start their GDPR compliance initiatives until just a few short months ago. Most underestimated its significance and complexity. Some even think it won’t last. Those companies that are diligently trying to achieve compliance scrambled to meet requirements by the May deadline, but very few can declare their projects complete.
An Austrian privacy advocate has already filed lawsuits against Facebook and Google, alleging that they’re not compliant. And while companies with lower profiles probably don’t have the same risk of legal action, they still need to be able to demonstrate that they’re taking the GDPR seriously and understand how to respond to requests. Most understand this: They have initiatives under way and an implementation plan to show they are approaching it in good faith. But true “readiness” hasn’t been accomplished yet in most US companies.
2. The scope and granularity are overwhelming.
It’s not surprising that companies haven’t been able to move into GDPR operations mode yet. Looking at all the hype from security vendors, you’d think security was the primary focus, but it’s not – it’s privacy first. In fact, only one of the 99 articles in the regulation addresses security, and when you look past security and go deeper into the regulation to map out implementation tasks, the impact of GDPR balloons. It’s deceptively significant – the broadest, most far-reaching regulation to date, asserting authority over information stored on any EU citizen no matter what, where, or why. To address it, companies have to evaluate every consumer touchpoint and get fine-grained consent for the collection of every piece of data – even if they are processing data that originated elsewhere.
For example, GDPR requires websites to obtain explicit consent for cookies before they’re placed on the user’s browser. The purpose of each cookie must be explained to users in plain language, and the user must be given the ability to accept or reject that collection of information. We’ve found that websites that have been under development for a long time or use many types of third-party analytics can set hundreds of cookies. It requires thorough analysis to understand the purpose of each one. The scope is huge, and the granularity is specific. These are not small efforts, and many companies are only just beginning to realize what is required.
3. Marketing requires a paradigm shift.
GDPR affects people across the organization, with the biggest impacts being to IT operations, application development, legal, and marketing teams. It introduces “new-to-many” concepts, like consent management and cookie management. And while IT has new techniques and tools to learn and Legal needs to understand the intricacies of the new regulation, most of the work they have to do is within their comfort zone.
We’ve seen that the new regulations pose more significant challenges, however, for many marketers, particularly those in lightly-regulated industries who may be unfamiliar with global privacy issues and laws. They need to be more cognizant of where personal information is stored and if consent has been given by the person it represents. The definition of personal information has also expanded, now including data like cookie IDs and IP addresses. And consent management has changed significantly, becoming much more granular and specific to the task at hand. Marketers’ techniques have to change – and their technologies, which have evolved to capture specific information that informs behaviors and metrics, also have to change to accommodate the new way of doing business.
4. Data management complexities provide added challenges.
While marketers worry about consent, other departments, especially IT, are drowning in data. Most companies have begun their GDPR initiatives by inventorying the information they’re storing, where it’s kept, and for what purpose. This has been a mammoth task for many companies in this era of big data.
There are also new requirements, like those for data portability and the right to be forgotten, that necessitate the creation of new procedures for both the business and IT. Cross-functional processes must be created to provide reports of stored personal data, modify or delete data elements, or completely erase all traces of information upon an individual’s request. Employees have to be educated on how to respond to these requests. Again, it’s not just about implementing new techniques or tools, it’s also about learning foreign concepts and changing the way we view personal information.
5. The future is unclear.
Organizations recognize that GDPR will continue to impact them moving forward. And no one is ever 100% compliant, so they have to be prepared – with business and technical processes in place – to maintain an “acceptable” level of compliance and respond to unforeseeable actions by the European Data Protection Authorities (DPAs) and individuals who now have the right to question practices and expect action.
As we wrote earlier, if an organization is truly trying to comply, with a plan in place and evidence of execution, we expect the DPAs will be lenient. European countries want to do business with us, but we have to take the rights defined in the GDPR seriously. This is an opportunity for all companies to review the information they collect about customers and users and ensure that they have appropriate justification for how they use that data.
Large companies, such as Facebook and Google, who collect monstrous amounts of data, have come under scrutiny first. While this is perhaps not a pleasant experience for them, the outcomes of the legal action will help us understand what GDPR really means.
What can you do to protect your company?
If there’s a chance you are storing data for EU citizens, even if unplanned, educate yourself and engage compliance or privacy expertise to create a path forward. Our approach with clients has been multi-faceted. Most have asked for assistance integrating compliance into their existing business and technical processes and/or designing new ones. They’ve also asked for help identifying where personal data resides, how it’s being collected and processed through web sites and apps, and where it’s being stored.
Additionally, it’s advisable to stay aware of how companies are being affected by complaints, investigations, and data breaches when they inevitably happen. Stay up-to-date on changes and clarifications to the regulation. The GDPR has 99 articles and is prescriptive – but there is a lot left to interpretation, and numerous clarifications have already been released. Most importantly, recognize that this is a regulation. Compliance is the best protection for your company.
Finally, the regulation isn’t all bad news. It has put forth sound ideas for managing marketing efforts, communications, and storage of personal information in a fair, humane way. We think that’s a good thing.
If you want to learn more about how we’ve helped our clients work toward GDPR compliance, please contact us. We’d love to connect with you!