It’s hard to believe it’s been one year since the GDPR enforcement took effect (May 25, 2018). For many, the honeymoon (or “honeydo”) hasn’t quite worn off yet, as organisations are still trying to ensure they meet some level of conformity to the most encompassing privacy regulation to date. There are also those who will continue to roll the dice.
Initially, many small and mid-sized US-based organisations believed that GDPR would not apply to them; having a small European presence of either customers or employees. But upon further study they realised this was more than just a compliance activity. Organisations discovered that they needed to revise and refine their entire enterprise strategy around privacy with a better understanding as to where their data was moving both within the organisation as well as outbound to processors.
Last week I was across the pond meeting with senior level operational risk professionals from Europe and I wanted to get feedback from the front lines. I was taken aback from some things I’ve heard.
Firstly, many companies are still wrestling with GDPR implementation, which has proven to be a time and resource intensive. Some expected their budgets and staffing to increase to address compliance, but sadly, neither have occurred.
Secondly, for many of these companies, GDPR compliance has slowed their digital transformation toward more efficient use of data within their organisation. The main reason for this is that organisations continue to be either unsure or uncomfortable as to what can be shared internally and externally; growing deeply concerned with falling to conform to GDPR and other regulations.
Thirdly, some have indicated that GDPR is “yesterday’s news” and that they are moving on to addressing other more pressing concerns. I did not receive any indication as to whether this may be due to their present comfort with conforming to the regulation or that they feel they have no need to pursue such activities further.
Finally, there are firms that have not done anything and do not plan to – until they see stronger evidence of penalties being used in the enforcement process.
The common theme appears to be: if you are a mature organisation then you’ve most likely took the time and built “privacy by design” into your risk structure. These organisations have generally found the right people, developed appropriate privacy processes, procedures, linkages and are able to track all points of customer data internally and externally. On the converse, this causes headaches for many of these companies as they are now afraid of sharing any customer data internally and/or externally, thus impacting their ability to target potential market opportunities out of fear of potential fines and reputation damage due to GDPR compliance missteps.
So, now that your coming through your GDPR hangover, anyone up for a round of CCPA?
About the Author
Shared Assessments Senior Director and CISO, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. He is an internationally recognised subject matter expert and top-rated speaker on third party risk.
This article is shared with the kind permission of Shared Assessments.