It’s been a bit more than a year since GDPR took effect, but many organizations have yet to build their compliance program with GDPR in mind.
We’ll review a few practical steps and share a few resources that can help you take that step towards building a sustainable program.
Is Your Business Ready For GDPR?
According to a survey of 600 senior business decision makers and 1,200 employees across the UK, US, Germany, and Australia (Vanson Bourne 2017):
“Only 1 in 4 businesses currently ready for GDPR, but a further 44% expect to be ready in time for May 2018.
Finance (£215m) and IT (£266m) departments see the most funding for GDPR investment.
Education sector (31%) rivals Technology and Telecoms industry (32%) in being ready for GDPR.
Healthcare (17%) the least likely to be ready for GDPR over any other sector. Retail (18%), Marketing (19%) and Legal (21%) sectors follow close behind.”
And as of 2019, only about 60% of enterprises are meeting these regulatory requirements.
Unfortunately, based on RedLegg’s own, and our partner, information, a significant number of US companies are still trying to determine whether they are subject to GDPR compliance as well as how they should proceed.
If You’re Still Not Ready…
Block access to your site.
Soon after May 25th of 2018, Chicago Tribune blocked access to their website to members of the European Union. Visitors were greeted with the following message:
The logic behind this stop-gap approach is that by blocking access to EU countries , you can avoid steep potential penalties for GDPR violations (Up to €20 million, or 4% of the global annual revenue for the prior financial year – whichever is higher).
Where there is demand there will be supply… EziGDPR has been one of the services advertised online offering an “Ezi” approach to compliance:
“Get up and running in just a few minutes. Pop a single line of code into your website's head and block European Union traffic - any incoming traffic originating in the European Union will be blocked, and redirected to an information page explaining that at the present time you are unable to serve them.”
But Are the Supervisory Authorities Ready Yet?
As we know, EU states will have national independent Supervisory Authorities working collaboratively to enforce GDPR. This effort will be coordinated by the European Data Protection Board (EDPB).
When GDPR first took hold, Reuters summarized Supervisory Authority attitude toward compliance as the following:
“Most respondents said they would react to [data privacy] complaints and investigate them on merit. A minority said they would proactively investigate whether companies were complying and sanction the most glaring violations.
This pretty much echoes how Elizabeth Denham, UK Information Commissioner at the ico. (Information Commissioner's Office) has explained the approach of this UK Authority:
“The first thing we are going to look at is, have they taken steps, have they taken action to undertake the new compliance regime.”
"Do they have a commitment to the regime?”
"We're not going to be looking at perfection, we're going to be looking for commitment. “
(The UK government has confirmed that it will implement the EU General Data Protection Regulation, notwithstanding the UK's decision to leave the EU).
Beyond this initial year of the regulation (2018-2019), however, companies should expect a more strict attitude in light of a year of lee-way.
Start Working On Your GDPR Program Today
Our advice is not to panic – it is not too late yet to start working on GDPR compliance.
Reach out for help if your organization does not have the necessary resources and expertise.
And remember – GDPR is not an “IT problem.” It takes the effort of the whole organization from the C-Suite and beyond to evaluate business processes and to make sure that personal data is protected as required by this regulation.
To help you get started, we have GDPR resources.
- GDPR 101: Guidelines Simply Stated
- GDPR Checklist: Preparing For Assessment
- Guide To Establishing Your Own GDPR Compliance Program
Article originally written by RedLegg’s Director of Advisory Services, Andrey Zelenskiy and published with the International Legal Technology Association in May 2018.
This article was updated October 2019.