In today’s fast paced world, the launch of GDPR seems like an age ago. The days leading up to 25th May 2018 were frantic for many businesses as they raced to implement the right controls to meet the compliance requirements.
While the guidelines were comprehensive, GDPR told companies what to do, but not how to do it. Demand for information on how to comply was so high that Google searches for GDPR outstripped Beyoncé 10-1 in the UK in May this year.
Now that the dust has settled, and companies have initiated their new processes, what have we learnt from the implementation of GDPR and how can businesses use compliance with GDPR to their advantage?
Lesson 1 – Interest in GDPR is still high
Consumers are more aware of their data rights and are willing to act. According to the UK’s Information Commissioner’s Office (ICO) there has been a sharp rise in the number of complaints to regulators across Europe.
Commercial law firm EMW recently reported that the ICO has received 6,281 complaints between 25 May and 3 July 2018 compared to 2,417 for the same period in 2017, a rise of 160%.
There has been both a rise in the number of breach notifications from organisations, as well as more data protection complaints following the new law. With the potential of fines of up to €20 million, businesses must take the new regulations seriously.
Lesson 2 – Ambiguity around GDPR has led to failure to comply
The lack of case law and therefore the ambiguity around GDPR means that how to comply has been left open to interpretation. This means that a huge proportion of businesses are still not yet complaint with the new regulations. In August, Gartner stated that 75% of companies are still not compliant with the new regulation. It’s not just the smaller companies with smaller budgets and resources who are not complying.
In June, the European University Institute conducted an experiment using artificial intelligence to evaluate the privacy policies of high profile websites including Facebook, Apple, Uber, Airbnb among others, to check whether they adhered to the new GDPR guidelines. Their findings were that none of the analysed privacy policies fully met the requirements. There could be many reasons for non-compliance when weighing up the risk of GDPR penalties, customer experience and efficiency measures. A lack of knowledge and understanding is another common reason for lack of compliance. Gaining as much information around GDPR when providing the controls to meet the requirements is an important lesson.
Lesson 3 – GDPR may be costing you money
In a bid to meet the GDPR deadline, lots of companies rushed through temporary and manual fixes to current processes to ensure compliance. The problem with this bolt on approach is that the new processes may be unnecessarily complex, unsustainable and expensive. Manual processes can be both prone to error and expensive. Now is the time to take a long term and strategic approach to GDPR compliance.
The next 100 days
If there is any ambiguity in your organisation on whether your processes comply, don’t delay another 100 days, take action today. Start with these four action points:
Click here for more information on GDPR and how Wolters Kluwer can help you.