The EU's General Data Protection Regulation (GDPR) has just passed the 100-day mark so what has happened and how have companies and consumers reacted? What challenges remain?
Many firms not compliant
GDPR compliance seems to be a work in progress rather than a switch that was activated on 25 May 2018. Many companies still don't feel they are fully compliant with the regulation and a recent survey by cybersecurity authority Imperva found that, three months on from the GDPR go-live date, nearly a third of organisations are not sure that they comply fully with the regulation. One of the biggest problems for companies seems to be getting their data storage in order. Understanding exactly where all data is stored is one of the huge hurdles companies face. With fines set at €20 million or 4 per cent of global turnover, being fully GDPR compliant is a pressing issue.
Although no companies have yet been prosecuted for lack of GDPR compliance, the number of complaints received by the UK's data protection watchdog has more than doubled since the regulation came into force. Law firm EMW filed a freedom of information request, which showed that the number of complaints to the Information Commissioner's Office (ICO) between 25 May and 3 July this year was 6,281, compared to just 2,417 during the same period in 2017. EMW's James Geary stated: “A huge increase in complaints is very worrying for many businesses, considering the scale of the fines that can now be imposed. We have seen that many businesses are currently struggling to manage the burden created by the GDPR, whether or not that relates to the implementation of the GDPR or reportable data security breach incidents.”
Work in progress
GDPR is a work in progress – not just for the companies that are still struggling to comply well after the deadline has passed, but also for the regulators themselves. In the UK, the ICO published further clarification on GDPR last month, with updated guidance on the restrictions relating to international transfers of personal data.
Advice for companies
And Deloitte has published the following advice for companies to ensure they pass their GDPR audit:
- maintain momentum in adopting new technology resources, business processes and appointing new talent to ensure ongoing compliance;
- don't get complacent: continue to improve on GDPR-compliant business practices to ensure they are sustainable and successful in the long-term; and
- the role of technology is key to efficient compliance and many companies may have to adapt their supporting technology.
What does GDPR mean for payments?
The European Payments Council has published an infographic setting out the main ways in which the General Data Protection Regulation will affect payments and payment service providers
Five unintended consequences of GDPR
GDPR will make the collection and use of data more expensive for companies and could mean the end of free search engines and music websites, meaning that, in the end, the consumer will pay
GDPR puts sub-contractor risk in spotlight – 88% don’t monitor this
The EU's General Data Protection Regulation will come into force in one month and most companies should be prepared – but it means reviewing not just third-parties but sub-contractors too