GDPR Readiness Said Lagging in Europe but Better Among US Companies

With the deadline for compliance with the EU general data protection regulation looming, many companies are still far from ready, business organizations we spoke with said. The GDPR takes effect May 25. Despite the seriousness of noncompliance, preparations are uneven, with U.S. tech companies and global digital enterprises further along than smaller businesses, industry representatives said. Lacking is final guidance from the EU Article 29 Data Protection Working Party (WP29), which said Wednesday its last set of guidelines should be completed in coming weeks.

Recent surveys point to potential problems. Senzing, which provides automated systems for searching company information to locate personal data, surveyed 1,015 companies in the U.K., Germany, France, Spain and Italy, finding "an even more alarming picture of GDPR readiness, or lack thereof, than has been reported," CEO Jeff Jonas reported: Sixty percent of companies aren't ready, and many "appear to be sleepwalking towards a GDPR abyss." The problem is the difficulty of locating data "across multiple, often messy, databases," he said. A September study by German digital association Bitkom of more than 500 national companies found that only 19 percent dealing with the GDPR assumed they would have implemented requirements fully by May 25. "People burying their head in the sand will soon be violating the law and risk fines at the expense of their company," wrote Susanne Dehmel, Bitkom executive board member for law and security.

"Implementation can be extensively time consuming, one needs to plan in a lot of time, and [that is] only feasible if you start early enough," said DigitalEurope Director General Cecilia Bonefeld-Dahl. Small and mid-size enterprises in Europe are only now trying to understand what the GDPR is and how to comply with it, she said. The group is raising awareness among its national trade association members, and provides regular input to WP29 draft guidelines on provisions such as consent, transparency, profiling and data breach notification to ensure that the rules are "clear, reasonable and workable," she said.

U.S. tech companies are doing very well with preparations, while a U.K. government study recently found that around half of British companies aren't even aware of the law, said Information Technology Telecommunications and Electronics Association (techUK) Policy Manager Jeremy Lilley in an interview. GDPR applies to any organization that processes personal data, he said. Many U.K. companies that are covered, such as those in the retail or automotive sector, are less traditionally considered data processors and haven't "lived and breathed" the GDPR like the tech industry has, he said. TechUK has heard from members with substantial U.S. subsidiaries that many businesses there are treating the regulation as a global rollout. Even so, more work is needed in the U.S. and EU to bring people up to speed, Lilley said.

On a practical level, DigitalEurope members are ensuring they can document all data protection procedures and put relevant compliance processes in place, Bonefeld-Dahl said. That's a good exercise for checking their data-processing operations for completeness and gaps regarding data protection principles such as the legitimate basis for the data processing, purpose limitation, data minimization, data deletion and the need for data impact assessments, she said. Enterprises also are trying to improve privacy notices, consent declarations and privacy policies, setting up procedures for data breach notifications, she emailed: "All data processing agreements with your data processors (vendors) should also be in place and double-checked."

TechUK members must begin to understand what personal data they hold, where it's held and what they're using the data for, Lilley said. If they can answer those questions, they can start implementing the GDPR, he said. UK businesses are in a tricky position because they're awaiting guidance from the WP29 and the U.K. Information Commissioner's Office, he said. That guidance is expected in the next few weeks, which won't give companies much time to digest it and update their policies, he said.

The WP29 published 12 more guidelines Tuesday to help stakeholders understand how to implement the regulation, outgoing Chairman Isabelle Falque-Pierrotin said at a news briefing. These and earlier guidelines "are not set in stone," and will need to be tested and, possibly, revised at some point, she said. Some of the draft guidelines will now go to public consultation, to be finalized at the next plenary, she said. Asked about concerns WP29 is slow in releasing the guidance, she said the panel wanted it to be based on realities and therefore had to take the time to seek input from the privacy professionals who will have to deal with it. The WP29 elected Andrea Jelinek, director of the Austrian Data Protection Authority, new chair.

The GDPR has a new provision on accountability that requires businesses to document their compliance, and they're starting to do that, said Lilley. TechUK's position is that as long as companies document everything they do with personal data, they are more likely to be looked at kindly if they suffer a data breach, he said. U.S. companies should be doing all this as well, and should also consider that if they are in the EU, they will need a data protection representative there, he said. When a data processor or controller not based in the EU transfers data to the U.S., it should ensure it has signed onto Privacy Shield, he said. "GDPR compliance is more than a tick-box exercise; it is embedded in the heart of the business strategy," said Bonefeld-Dahl.