It’s hard to believe it’s been one year since the GDPR enforcement took effect (May 25, 2018). For many, the honeymoon (or “honeydo”) hasn’t quite worn off yet, as organizations are still trying to ensure they meet some level of conformity to the most encompassing privacy regulation to date. There are also those who will continue to roll the dice.
Initially, many small and mid-sized US-based organizations believed that GDPR would not apply to them; having a small European presence of either customers or employees. But upon further study they realized this was more than just a compliance activity. Organizations discovered that they needed to revise and refine their entire enterprise strategy around privacy with a better understanding as to where their data was moving both within the organization as well as outbound to processors.
Last week I was across the pond meeting with senior level operational risk professionals from Europe and I wanted to get feedback from the front lines. I was taken aback from some things I’ve heard.
Firstly, many companies are still wrestling with GDPR implementation, which has proven to be time and resource intensive. Some expected their budgets and staffing to increase to address compliance, but sadly, neither have occurred.
Secondly, for many of these companies, GDPR compliance has slowed their digital transformation toward more efficient use of data within their organization. The main reason for this is that organizations continue to be either unsure or uncomfortable as to what can be shared internally and externally; growing deeply concerned with failing to conform to GDPR and other regulations.
Thirdly, some have indicated that GDPR is “yesterday’s news” and that they are moving on to addressing other more pressing concerns. I did not receive any indication as to whether this may be due to their present comfort with conforming to the regulation or that they feel they have no need to pursue such activities further.
Finally, there are firms that have not done anything and do not plan to – until they see stronger evidence of penalties being used in the enforcement process.
The common theme appears to be: if you are a mature organization then you’ve most likely took the time and built “privacy by design” into your risk structure. These organizations have generally found the right people, developed appropriate privacy processes, procedure and , linkages and are able to track all points of customer data internally and externally. On the converse, this causes headaches for many of these companies as they are now afraid of sharing any customer data internally and/or externally, thus impacting their ability to target potential market opportunities out of fear of potential fines and reputation damage due to GDPR compliance missteps.
So, now that you are coming through your GDPR hangover, anyone up for a round of CCPA?