This is part of a series on how GDPR affects companies and how to comply with its requirements.
The compliance deadline for the European Union’s General Data Protection Regulation (GDPR) is Friday, but many companies and even European regulators say they’re not ready for the new law, reports show.
Passed in 2016, GDPR aims to give EU residents more rights to control their online data, but it has caused “the biggest shake-up of data privacy laws since the birth of the web,” a Reuters article said. That’s because to comply with it, affected companies must report serious data breaches within 72 hours, provide customers with a copy of their personal data, correct inaccuracies in the data and delete it at consumers’ request. What’s more, companies must get explicit consent from every customer to track them through websites and apps—or respect their choice to opt out.
Those who break the rules could be fined up to €20 million ($23.4 million) or 4% of their annual revenue, whichever is greater.
No single authority will oversee compliance, although the European Data Protection Board will make sure the law is applied consistently across the EU. A “patchwork of national and regional watchdogs across the 28-nation bloc” will be responsible for overseeing compliance, Reuters said. Yet 17 of 24 authorities that responded to a Reuters survey said they lacked the necessary funding to fulfill their GDPR duties, although 11% said they would have them in the future.
For example, Italy has a budget of €25 million and 122 staff members for GDPR, half of what the country needs for each category, the article said.
GDPR will have a major effect on U.S. companies, too, particularly those with large amounts of data on EU-based customers. But it’s unlikely that many U.S. businesses are ready, said Thomas Pasquet, CEO of Ogury, a GDPR-compliant company that collects data to visualize user behavior on apps and websites.
“It’s crucial that companies wise up on compliance in time,” Pasquet wrote in an email. “Don’t be put off by the apparent complexity of GDPR; seize this opportunity to open a more honest dialogue with your consumers, both at home and abroad.”
One of the biggest challenges companies face with GDPR is knowing what data collected before May 25 can still be stored.
“Many companies are housing mountains of European user data that might soon become obsolete should they not (re)obtain consent from those same users,” Pasquet wrote. “For some, this has resulted in a flurry of last-minute emails to entire user bases in a vain effort to capture as many opt-ins as possible, while others have taken a more considered approach by planning for explicit user consent a long time ago.”
Adding to the confusion is GDPR’s vagueness. For example, it requires companies to provide a “reasonable” level of protection for data without defining what that entails. “Our understanding is that should they be audited, companies must be able to point to the considered steps that they have taken to protect the data privacy of their users,” Pasquet wrote.
Getting GDPR compliant is about more than avoiding fines, though. It’s about building trust with consumers at a time of data breaches and leaks. Additionally, it will position U.S. companies well for when Congress passes similar legislation—something he predicts will happen.
To check your GDPR readiness, take Ogury’s quiz.