It is only a week left until the European General Data Protection Regulation comes into full effect. In preparation for the rough times, I looked at statistics.
#1 GDPR-ready company stats
According to some estimations, for example, only 34% of EU-based websites look compliant with GDPR. In the meantime, 67% and 59% of the GDPR-ready websites are from Germany and Austria, while Danish and Portuguese websites are the least prepared.
A recent study by a technology association CompTIA reveals that more than a half of the 400 U.S. companies surveyed are either “still exploring the applicability of GDPR to their business; have determined that GDPR is not a requirement for their business; or are unsure.”
Another benchmarking report by the privacy think tank Centre for Information Policy Leadership and a privacy consultancy firm AvePoint highlights that about 60 % of 223 multinational corporations that do business in Europe do not know details of their data content and its lifecycle.
A German newspaper reports that only a quarter of all German companies consider themselves fully compliant, while 4% of companies find themselves only at the beginning of this process.
Apparently, despite the numerous countdowns and severe warnings to get “GDPR-ready,” adequate compliance by the deadline of 25 May does not seem feasible for many organisations.
#2 GDPR-ready country stats
On the other hand, a different survey by Reuters shows that 17 out of 24 EU data protection authorities participating in the survey responded that “they did not yet have the necessary funding, or would initially lack the powers, to fulfil their GDPR duties.”
Notably, data protection regulators from U.K. and Ireland declined to take part in the Reuters survey. As a reminder, Ireland is a current European home to tech giants like Google, Apple, Twitter and Facebook. U.K.’s Information Commissioner’s Office is a leading investigative body for the Cambridge Analytica case.
Out of 28 EU-member states only two, Germany and Austria, adopted national legislation to address the pan-European GDPR. Other states, for example, Estonia, U.K., Czech Republic are discussing the new legislation at their lawmaking levels.
Although the GDPR as a governing document will start applying from 25 May in all European Union, it is not quite clear how local regulators, for example, in Greece (no new legislation discussed yet) will ensure compliance with new data protection regime on their level.
#3 GDPR-ready people [data subject] stats
Since I could not find any GDPR-readiness statistics relating to people, or “data subjects” as GDPR dubs us all, I pondered about the events of last few months: numerous data policy updates for the apps and programs, as well as the pouring stream of emails notifying about the GDPR related changes. And as the due date approaches, their number is only increasing.
All of us probably had a chance to enjoy the regularity of these emails, some of us maybe event tried to follow the links. In the meantime, it would not come as a surprise if I confirm that not many people (those with technology or legal background excluded) adequately understand the meaning of GDPR and the extent of rights it provides for a regular person.
# 4 GDPR worst case scenario
Imagine an apocalyptic scenario, where on 25 May 2018 a company receives thousands of data-subject requests, becomes a victim of a ransomware attack and a local data protection regulatory authority knocks on the door with an audit.
GDPR gives general guidelines as to how to respond to such events. Although the specifics could differ from one country to the next, in general, a hypothetical company’s response is always accountability.
A customer may request to have access to his or her data, delete his or her account or may ask to transfer his or her personal data to another service provider, etc. GDPR prescribes that a company must without undue delay, but within one month, respond to such requests. There is a possibility to extend this period by two more months if the answer or action corresponding to the request, for example, requires additional proof of identity from the customer.
In case of a data breach by a third party, such as an attack of ransomware, or an internally caused data leak, like for example, sending an email containing personal data to a wrong address, the company is under an obligation to notify the regulatory authority within 72 hours from the moment it found out about the breach. A company must notify the customer affected if the risk to the personal rights and freedoms seems high.
In some cases a data breach may be easily discoverable, but in some other instances, it may be not as obvious. An interesting thing to see would be how the common practice develops in terms of identifying and reporting data breach.
As noted above, regulatory authorities, may not initially have the resources for proactive audits to ensure compliance, but the regulators would be under obligation to investigate complaints of professional organisations and customers. Therefore, regulatory audits may start being a usual thing from 25 May on.
It is expected that regulatory authorities would first look at a given company though its website — is it compliant? Are there obvious violations of GDPR? It may further request personal data reports about the data lifecycles in the company, as well as any type of documents that evidence technical and organisational measures in place relating to GDPR compliance.
#5 GDPR compliance as a process
These things may not happen at once, but they are totally realistic events that probably will happen at one point or another after the GDPR lapse date of 25 May. The most reasonable approach would be to see GDPR compliance as a process that may take (potentially) many months to fully prepare.
First and foremost, the “internet face” of a company — the website — must be compliant with the new rules. It means that the privacy statement on the website is up to date, all necessary measures taken to obtain necessary consents for different categories of personal data and processing operations.
Preparation for compliance must also include detailed mapping of data flows and lifecycles internally. To do that it could be useful to have at least one person in the company knowledgeable about the GDPR.
If full GDPR compliance is not feasible at the moment, it is highly recommended that, at a minimum, the company officers draft a plan with realistic tasks and deadlines leading to GDPR compliance in the future.