The General Data Protection Regulation came into effect almost exactly three months ago, and—in honor of this anniversary—it seems fitting to do a quick assessment of how things are going. Have companies been generally successful in achieving compliance? Have any serious fines been imposed yet? And—most importantly—what steps can we still take to ensure that we become fully compliant?
First things first. According to a report recently released by AIIM, at the time of the deadline, 30% of the organizations surveyed reported that they were 100% compliant and 50% were a quarter of the way to total compliance. Three months later, we hope these numbers are somewhat higher, but the report indicates a general lack of preparedness and disorganization. According to AIIM, the companies they surveyed used “a variety of accountability models for GDPR,” meaning that different departments, such as IT, legal or compliance are responsible. Whether this is due to disorganization or merely different strategies for parceling out responsibility, AIIM doesn’t say–although the report also says that “only 36% of organizations have a dedicated privacy function” and that “information privacy is still an afterthought for most organizations.” To highlight the situation further, AIIM also presents “legal obligation” as the surveyed organizations’ primary motive for compliance with GDPR. Once again–and AIIM does go so far as to allude to this–overall understanding of GDPR’s far-reaching importance, not just as a legal must, is strikingly absent.
This is no small problem. In a recent pre-GDPR blog post on the Facebook/Cambridge Analytica scandal, we wondered whether the regulation would have put Facebook in deeper trouble. Well, no sooner did May 25 roll around than Facebook and Google were hit with massive lawsuits over GDPR non-compliance. According to The Verge, each of these lawsuits totals about 8 billion US dollars—no small fine even for a multi-billion dollar conglomerate like Facebook or Google, and a good indication of how serious European authorities are around enforcement. Even for small businesses, the fines that can arise from GDPR non-compliance can prove disastrous. And, as GDPR compliance becomes more expected, it’s possible that companies that don’t comply–or that take a legalistic approach toward technical compliance–will suffer greater consequences from the authorities and lose trust in the public eye.
Thankfully, there’s no better time than the present to become fully compliant, and no better step to ensure technical compliance and an overall commitment to the principles of GDPR than training. Only 25% of the companies that AIIM surveyed implemented staff training on the regulation. If GDPR is important to your organization, and if you want to demonstrate that commitment in a tangible way, take the time and effort to make sure your employees understand what’s at stake, and how GDPR is crucial to maintaining trust and protecting information.