The European Union’s new data privacy rules have been in effect for more than two months now, yet many companies haven’t done much to ensure they are abiding by them, according to a recent survey.
The poll, conducted by Deloitte during a webcast in late June, found that only about a third of the nearly 500 respondents say their organizations can defensibly demonstrate compliance with the new data privacy rules, the General Data Protection Regulation (GDPR), which took effect on May 25. Another third of respondents (32.7 percent) say they hope for their organizations to be compliant by the end of the year.
Some companies don’t seem to be in a hurry to reach compliance with GDPR, despite hefty penalties for those that violate the regulation. A fine up to €20 million ($23.5 million) or up to 4 percent of the annual worldwide revenues of the preceding financial year can be levied for violating certain provisions of the regulation. Still, more than one in ten respondents (11.7 percent) say their organization is taking a “wait and see” approach to achieving compliance with the regulation. Some said there was still too much uncertainty about how the EU will enforce the new rules.
“The fact that the GDPR effective date has come and gone and many are still scrambling to demonstrate a defensible position on GDPR compliance reflects the complexity and challenges as the world of privacy rapidly changes,” said Rich Vestuto, a Deloitte Risk and Financial Advisory managing director.
What About Third-Parties?
Companies have also struggled to get the third parties they do business with in line with the new rules. A majority (56 percent) say they aren’t done discerning what data third parties have or the potential implications of GDPR on third-party contract management. About 10 percent have yet to begin addressing third-party GDPR compliance at all. Meanwhile, only 13.6 percent of respondents say they are confident that their organizations know what data third parties have and are leveraging artificial intelligence and other technologies to analyze and manage third-party contracts for GDPR compliance.
“Among the biggest GDPR compliance challenges is third-party contract management. Under GDPR, organizations are responsible for ensuring privacy protection of EU-regulated data shared with or used by vendors and service providers, which requires those organizations to know who their vendors are and precisely what data those third parties hold,” added Vestuto. “Updating or renegotiating contracts and agreements may help ensure third parties are GDPR-compliant when using your organization’s EU-regulated data.”
»“The fact that the GDPR effective date has come and gone and many are still scrambling to demonstrate a defensible position on GDPR compliance reflects the complexity and challenges as the world of privacy rapidly changes.”
—RICH VESTUTO, DELOITTE
Thinking Beyond GDPR
Smart companies aren’t just considering GDPR compliance, but ensuring their efforts are scalable to address potential regulation in other jurisdictions. California, for example, passed tough new privacy rules last month. The regulation, which takes effect in 2020, gives consumers sweeping control over their personal data. It grants them the right to know what information companies like Facebook and Google are collecting, why they are collecting it, and whom they are sharing it with.
According to the Deloitte poll, nearly half of respondents (48.2 percent) say their organizations’ data privacy programs are scalable to address pending rules in other jurisdictions even if their immediate focus is GDPR. Also, 19.8 percent report that their organizations’ programs are focused solely on GDPR without scalability, potentially leaving them unprepared to deal with new rules elsewhere.
“Other jurisdictions beyond the EU are enacting more stringent data privacy protections,” said Vestuto. “Data privacy programs should be scalable and requirements rationalized on a global basis to ensure that organizations are able to address current and pending rules in various jurisdictions as needed.”
That Was Fast
Companies that have been slow to achieve compliance with GDPR might want to shift into gear, since some companies are already feeling the sting of accusations of non-compliance. Just hours after the regulation took effect in May, the lawsuits began flying over non-compliance.
Austrian data privacy advocacy group None of Your Business (NOYB) filed suits against Facebook, Google, and Facebook subsidiaries WhatsApp and Instagram alleging that the tech firms have violated GDPR. The suits claim the tech giants violated the law by forcing users to turn over private data in order to use their services.
“Many users do not know yet that this annoying way of pushing people to consent is actually forbidden under GDPR in most cases,” says Max Schrems, chair of NOYB in a statement when the suits were filed.
Those companies that aren’t in compliance or don’t know if they are could soon find out the hard way. NYOB and other data privacy advocacy groups say they will continue targeting and suing companies that aren’t abiding by the law, although it’s still too soon to tell how serious the EU is about pursuing those massive 4 percent of revenues penalties that are part of the law. 
Joseph McCafferty is Editor & Publisher of Internal Audit 360°