GDPR will go live in 3 days and many companies are still struggling to find themselves compliant with GDPR, which is all right since GDPR allows 2 years for companies to achieve compliance with GDPR’s regulations. The issue is that while many companies have worked towards compliance, quite a few have not. Some of these companies are hoping that GDPR will be repealed or otherwise revoked before they have to commit resources to becoming compliant. In a recent study, over 50% of the the thousand companies surveyed said that they would not be 100% compliant by May 25th 2018. The issue is multi-faceted, it isn’t purely technology or cultural. Companies in the United States aren’t used to providing reasons for why or how they’re using the data they collect and being forced to is something that they’ll have to adjust too. Additionally, the adoption of GDPR doesn’t force US companies to provide the same protections and services to users from outside the EU. This has lead to an issue where companies outside the EU are forced to choose between creating a separate system for EU and non-EU users, which is costly and time consuming. Not only that but the issue of integrating these two disparate systems would also be costly and would increase the level of redundancy in any organization, which is something that most companies try to avoid. Alternatively, companies could keep all of their user data in a GDPR compliant manner, but that would require building a very large system that has never been attempted before and never at the required scale either.
GDPR requires that users, called “data subjects,” be allowed to access the data that has been collected on them and be able to have it delivered in a portable form. This raises issues for companies that may have data stored in a variety of functional areas, especially if different departments or functional sections use different aspects of a person to preform their duties. This request for data also allows data subjects to correct incorrect data if they so choose and it also allows them to request that their data be deleted. When GDPR goes into full effect in 2018, it seems that regulators are going to roll it out slowly and allow a “honeymoon period” where they’ll go with the minimum punishment for companies to provide a final period to achieve compliance. For now though, GDPR remains a daunting challenge that companies are trying to avoid or are otherwise unprepared for.
Worried about GDPR compliance? We’ll be starting a series that will provide practical advice on how to achieve compliance.
Max is a Legal Assistant and author residing in the Philadelphia area He has been writing for AskCyberSecurity.com since early 2017.