GDPR Is Live: What Now?
Privacy expert David Ross, with Baker Tilly, tells us what to watch for now that GDPR has taken effect.
As of May 25, the General Data Protection Regulation (GDPR) has been in force. But this isn't the end; as with any regulation, companies will need to keep track of their implementations, interpretations of and changes to the regulation, and requests from customers to delete personal information. Are they really ready for all this?
Wanting to learn what to watch for now that GDPR has taken effect, I reached out to David Ross, a principal at accounting and advisory services firm Baker Tilly. Ross, who serves as the firm's privacy practice and cybersecurity advisory leader, frequently speaks on privacy and cybersecurity strategy, innovation, business strategy, and critical problem-solving for corporations. The following is an edited version of our conversation.
Now that GDPR is in effect, how many organizations think they're ready?
This depends on how you look at the market. For large, U.S.-based multinational corporations, I would guess better than half. For middle market firms with some EU presence, I would estimate less than 15%. The good news is, when considering risk, GDPR enforcement has moved privacy from the bottom of the list (where it typically isn't addressed in a significant way) to near the top.
In your opinion, how many organizations are actually ready for GDPR?
Many organizations have either received dubious advice or have decided on their own that GDPR does not apply to them. The key is to think in the broader context of privacy and make an informed decision about what you are going to collect and why and how you are going to communicate this to the data subject (EU citizen). In many cases, the remediation is not a very big lift and provides other benefits to the organization.
Will those organizations that need to comply with GDPR have to contend with a large number of requests for reports on personal data?
Most organizations have not considered the consequences of the data subject rights defined in the GDPR. Replying to requests could be a substantial effort for organizations with large sets of (particularly younger) data subjects as customers. We have been advising our clients to have a consistent process that documents both the request and the response, making sure to refer back to one of the six valid reasons for collection under the GDPR.
Will companies see an influx of requests to have their personal data removed?
I think there will be. Particularly for companies/brands that do not have the best public reputations. We also are advising clients in high-risk market segments to be prepared for activists using the GDPR as a non-market strategy to meet their objectives.
Will the requests for reporting and removal come in a surge for the next few months, or will the requests be a permanent problem for those dealing with personal data?
I think that after the initial surge most organizations will reach an equilibrium state that is manageable.
Assuming that an organization tries to comply with GDPR, do you anticipate it conducting a number of audits to ensure compliance?
Until we start to see how regulators are going to enforce GDPR through case law, I think 'audit' is probably too strong a word for what most U.S.-based companies will do. However, real-time compliance monitoring and assessments are probably adequate for most organizations. We are encouraging our clients to have this conversation proactively and then build a sustainable privacy program.
Once the dust has settled, do you anticipate some regulatory interpretations and changes to the GDPR that will further clarify the regulations?
Typically, we use case law to interpret how the regulators are going to enforce a broadly worded regulation. In the case of GDPR, that case law does not yet exist. It will be interesting to see how the various regulatory authorities across the EU enforce the regulation.
My Final Thoughts
GDPR is a living regulation, and we don't yet know what the final impact will be. We have a pretty good idea, but you never know about the future and the impacts caused by unforeseen consequences. There may be some backlash to some of the regulations that will eventually affect the implementations in place.
Enterprises need to keep abreast of what's happening in the EU with GDPR. This isn't a static situation, and it may not resolve itself into a stable environment for another year or two.