What to do if you're not ready for GDPR

European Union Flag
Not ready for GDPR? You're not alone, and there are resources to help.

This is part of a series on how GDPR affects companies and how to comply with its requirements.

Today is the deadline for complying with the European Union’s General Data Protection Regulation (GDPR), which tightens data privacy controls for any company dealing with sensitive information on customers in the EU. If you fit that description, but aren’t quite in compliance yet, don’t worry. You’re not alone.

Almost half the 1,000 companies the Ponemon Institute surveyed (PDF) regarding GDPR compliance said they would be ready by today. Forty percent said they will achieve compliance after the deadline, while 8% had no time frame. Small companies with fewer than 500 employees are the least likely to comply on time, while midsize firms of 5,001 to 25,000 workers are most likely, according to the report.

It’s not that respondents are unaware of the consequences of noncompliance—a fine of up to 20 million euros or 4% of annual revenue, whichever is higher. Seventy-one percent of them said failing to comply would have a detrimental impact on their organization’s ability to conduct business globally, and 60% said it will significantly change workflows for collecting, using and protecting personal data.

A survey by Capgemini found 85% of European firms won’t be ready today, with British companies being the most advanced and Swedish the most behind, according to a CBS News article. Britain’s Federation of Small Businesses estimates that complying with the rules will cost companies an average of about 1,030 pounds, or $1,390, the articles added.

“The general assumption is that when the deadline hits, European regulators will treat it as a soft opening, going easy on companies for a honeymoon period while everyone figures out how the law is going to work,” according to an article in The Verge. “But regulators can’t entirely control what’s going to happen on May 25th because parts of the GDPR are user-driven.”

Companies have 30 days to respond when an EU resident enacts their GDPR-given rights to be forgotten or to see the data a company has about them and how that information is being used. If the company doesn’t answer, the customer can file a complaint with a local regulator, which is required to enforce it, but may not levy the 4% fine.

If yours is among the companies that needs to get going quickly, here are a few resources that can help, according to a Fast Company article:

  • Parker, an automated chatbot from an international law firm that is “essentially a checklist in chat form.”
  • The GDPR Checklist from a group of startup founders from Belgium holds a Creative Commons license and is maintained in GitHub, enabling companies to tweak it for their needs or suggest revisions.
  • A tool from Segment that helps customers track data requests, updates and user content changes.

“Even though GDPR’s big debut is bound to be messy, the regulation marks a sea change in how data is handled across the world,” The Verge said.