GDPR – Anyone Ready Yet?
May 25th is behind us and all sides involved were supposed to be ready. Let’s do a reality check…
Is your Industry/Business ready for GDPR?
According to the survey of 600 senior business decision makers and 1,200 employees across the UK, US, Germany and Australia conducted by technology research firm Vanson Bourne on behalf of cyber security company Clearswift, as of October 2017 (https://www.clearswift.com/about-us/pr/press-releases/gdpr-readiness-education-sector-rivals-technology-industry-race-towards-general-data):
“Only 1 in 4 businesses currently ready for GDPR, but a further 44% expect to be ready in time for next May.
Finance (£215m) and IT (£266m) departments see the most funding for GDPR investment.
Education sector (31%) rivals Technology and Telecoms industry (32%) in being ready for GDPR.
Healthcare (17%) the least likely to be ready for GDPR over any other sector. Retail (18%), Marketing (19%) and Legal (21%) sectors follow close behind.”
Unfortunately, based on our own and partner information significant number of US companies are still trying to determine whether they are subject of GDPR compliance and how to proceed.
If not ready, just block access…
If you have tried to browse to Chicago Tribune’s website after May 25th from the European Union, you have been greeted with the following message:
According to Wall Street Journal (https://www.wsj.com/articles/u-s-websites-go-dark-in-europe-as-gdpr-data-rules-kick-in-1527242038):
“Tronc Inc., TRNC 1.55% publisher of the Los Angeles Times, New York Daily News and other U.S. newspapers, was among those that blocked readers in the European Union from accessing sites, as they scrambled to comply with the sweeping regulation.”
The logic behind this stop-gap approach is that by blocking access from EU Countries you can avoid steep potential penalties for GDPR violations (Up to €20 million, or 4% of the global annual revenue for the prior financial year – whatever is higher).
Where there is demand there will be supply… EziGDPR (https://www.ezigdpr.com/products/eu-visitor-blocker) is one of the services advertised on the internet offering an “Ezi” approach:
“Get up and running in just a few minutes. Pop a single line of code into your website's head and block European Union traffic - any incoming traffic originating in the European Union will be blocked, and redirected to an information page explaining that at the present time you are unable to serve them.”
And what about Supervisory Authorities?
As we know, EU states will have national independent Supervisory Authorities working collaboratively to enforce GDPR. This effort will be coordinated by the European Data Protection Board (EDPB).
According to a recent Reuters survey, seventeen out of twenty-four Authorities “…said they did not yet have the necessary funding, or would initially lack the powers, to fulfill their GDPR duties.”
As summarized by Reuters:
“Most respondents said they would react to complaints and investigate them on merit. A minority said they would proactively investigate whether companies were complying and sanction the most glaring violations.
Their responses suggest the GDPR enforcement regime will be weaker than the bloc's anti-trust authority run directly by the European Commission…”
This pretty much echoes how Elizabeth Denham, UK Information Commissioner at the ico. (Information Commissioner's Office) has explained the approach of this UK Authority:
“The first thing we are going to look at is, have they taken steps, have they taken action to undertake the new compliance regime”
"Do they have a commitment to the regime?”
"We're not going to be looking at perfection, we're going to be looking for commitment. “
(The UK government has confirmed that it will implement the EU General Data Protection Regulation, notwithstanding the UK's decision to leave the EU).
Keep calm and start working on your GDPR program.
Our advice is not to panic – it is not too late yet to start working on GDPR compliance.
Reach out for help, if your organization does not have necessary resources and expertise.
And remember – GDPR is not an “IT problem”. It takes the effort of the whole organization from the C-Suite and down to evaluate business processes and make sure that personal data is protected as required by this regulation.
If you missed the First and Second Blog in this 3 part series, you can find them here:
GDPR Readiness - Three Steps to be Ready
GDPR: How Do You Go About Getting Your Arms Around It and Move Forward?