The GDPR Compliance Spectrum

Published On July 06, 2018

The GDPR – How Prepared Were We?

The Ponemon Institute recently surveyed more than 1,000 organizations in the United States and the European Union (EU) to gauge how prepared they were for the EU’s General Data Protection Regulation (GDPR). According to The Race to GDPR: A Study of Companies in the United States & Europe, published in April 2018, 90% of survey respondents knew their organization would be subject to the GDPR, but only 52% were confident they would be compliant with the new law by the May 25^th deadline.

That leaves almost half of organizations in a kind of GDPR compliance limbo – aware they need to achieve compliance, but lacking resources and/or a solid plan to get there.

GDPR Compliance – The Chase Continues

The disparity between organizations that know they need to be compliant with GDPR and the organizations that have achieved it exists for a number of reasons:

1. It is both expensive and difficult to comply with all GDPR requirements. Many organizations have not had the necessary funding or staff to implement the depth of change required to achieve high-level GDPR compliance by the May 25th deadline.
2. Many organizations require comprehensive changes to business processes to comply with GDPR. The Ponemon Institute study cited this as the number one barrier to achieving compliance.
3. Some, less regulated industries, perceive their risk of enforcement actions to be low (e.g., media companies, educational institutions, retail organizations). Whereas highly regulated industries, like the financial sector, are perceived to be at greater risk for enforcement actions and therefore have a higher compliance rate.
4. Whether it because of industry, business size, or a lack of understanding regarding the geographic reach of business partners and customers – some organization have been slow to realize that they are indeed subject to the GDPR. This includes a few surprisingly large entities that thought GDPR wouldn’t apply to them until they were precluded from bidding on contracts for other organizations that are subject to it because they could demonstrate GDPR compliance.
5. The governing bodies responsible for enforcing the new regulations are not yet fully prepared to enforce the GDPR. This lowers the perceived risk for those organizations that already view the new data laws as having little effect on how they run their business.

How Maximum Is Maximum?

Organizations that are lagging behind regarding GDPR preparedness need to catch up. Data breaches have always been costly – regulatory fines, loss of productivity and damage to one’s brand reputation are all hard hits to take.

However, the drastic increase in the maximum potential fines under GDPR hasn’t just changed the rules, it’s changed the game.

According to Ponemon Institute’s 2017 Cost of Data Breach Study: Global Overview the average cost of a data breach pre-GDPR was $3.62 million. Now companies could be facing a maximum fine of up to €20 million ($23.2 million) or 4% of the global annual revenue from the prior year, whichever is greater. Hypothetically, an organization with a global annual revenue of $2 billion could be fined up to $80 million if they violate key GDPR provisions.

While the risk of non-compliance comes at a much higher cost than under previous legislation, it remains to be seen how – and to what degree – the Data Protection Authorities (DPAs) of the individual EU member states will enforce the GDPR.

What’s to come – wrist slaps or epic take-downs?

Will those massive maximum fines become a frequent reality for organizations found guilty of a customer data breach or will DPAs adhere to the spirit, rather than the letter, of the new regulation? No one can answer that question until DPAs administer enforcement actions and levy fines for data breach infractions.

And when will that be? It’s difficult to warrant even an educated guess. Many of the Data Protection Authorities are still staffing up and preparing to execute their functions under GDPR. A May 2018 Reuters article cited a survey stating that 17 of 24 DPAs respondents “did not yet have the necessary funding, or would initially lack the powers, to fulfill their GDPR duties.”

From Fully Engaged to Playing the Waiting Game

There are clearly numerous factors that contribute to an organization’s perceived risk relative to the investment of time and resources necessary to implement GDPR compliance. While everyone wants to make the best decisions for their organization, it’s a smarter play to work towards some level of compliance, rather than ignore the new laws completely.

Those DPAs won’t be gearing up forever and when they’re ready we’ll start to see what enforcement of the GDPR looks like. And when that happens, no one wants to be on the wrong side of a €20 million fine.