This time last year, companies were scrambling to get compliant with the EU’s General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, and aims to give individuals more control over their personal data. GDPR applies to any company that holds personal data of individuals residing within the EU, and failure to comply with GDPR could cost companies up to €20M or 4% of annual global turnover. As a result, we saw most take a ‘sky is falling’ approach leading up to the enforcement deadline.
According to a PwC survey, more than 40% of companies, including American companies with a data presence in the EU, spent over $10 million preparing to comply with GDPR, but according to an April 2019 study, only 27% of U.S. companies are fully compliant, and most are just winging it and hoping not to be breached.
Should they be worried?
Of course, in the long term, compliance should be a priority. But the short-term legality is not so cut and dried. Looking back one year later, was all the fear and confusion around GDPR worth all the hype it was given?
In reality, probably not.
Global enforcement is nearly impossible
Security enforcement at a global scale like GDPR makes it nearly impossible to enforce right out of the gate. Need proof?
Per regulations, data breaches must be declared within 72 hours after they have been discovered, and proper authorities -- and affected data subjects -- must be notified.
However, there have been over 59,000 data breach notifications this year -- and only 91 fines. We’re not seeing proactive enforcement, but rather solely reactive.
Of course, higher-priority breaches have taken precedent, but many organizations are still waiting to hear from regulators if any action will be taken against them at all, and it’s been months. This enforcement backlog is only expected to keep piling up.
Should regulators instead look to follow and implement something like the successful California S.B. 1386 regulation? This law, which went into effect in 2003, regulates the privacy of personal information, and has seemed to do a better job than GDPR so far.
Tech behemoths have no real incentive
There are many big companies like Google, Netflix and Facebook that are still trading bad third-party data. But even if these companies hide a breach from the public and get caught by GDPR enforcement, will consumers even bat an eye? If Facebook gets hacked, not many people will walk away; users will just be forced to change their passwords and continue to use the massive social media giant’s platform.
Or take it from Google’s recent compliance fine: The French Data Protection Authority announced earlier this year that it had fined Google about $57 million, due to the company not disclosing how data is collected from users across all its services. But, is $57 million just pennies to Google? These major companies aren’t dealing with the same financial or social conscious burdens as smaller companies. They’d rather pay a fine and move on. They are not as concerned about losing customers as smaller companies. Therefore, there is little incentive for them to be compliant.
An opportunity exists
Whether or not GDPR can be enforced to the level initially feared, it brings one opportunity organizations would be remiss to ignore. GDPR requires companies to understand their data flow, what exactly is being collected, and where it is. Companies are effectively doing an audit that helps them find the most sensitive data in the infrastructure and streamline all their protection processes.
Organizations that take this exercise seriously will be better off in the long run with stronger, more secure data infrastructure. They’ll also be better able to market themselves to customers who want to know their data is secure.
Only time will tell with how GDPR and regulators can keep up with the influx of breaches and violations, but that doesn’t mean GDPR is something to brush aside. Make an honest effort to clean your data stores, delete unnecessary data, perform regular systems tests, and implement the strongest security measures possible. While GDPR may not have lived up to its Y2K-like media hype, getting your data houses in order can only be a good thing.
Tim Reilly leverages over 25 years of business, financial and operational experience at public and private companies in the networking, software and Internet industries. Prior to Zettaset, Reilly was the vice president of finance at Trapeze Networks (acquired in August 2008 by Belden, Inc.). Prior to that, he served as the vice president of finance at netVmg (acquired in September, 2003 by Internap Networks). He also has held numerous financial positions at WorldxChange Communications (acquired in February 2000 by World Access), CATS Software and Ernst & Young, LLP. He is a certified public accountant and earned a BS in Accounting from the University of Southern California.