Are businesses GDPR compliant yet?

Data and data privacy is a top priority for most businesses, especially for those operating in the European Union (EU) given the implementation of the General Data Protection Regulation (GDPR) in May.

And although the law was announced about two years before it was implemented, providing businesses with every opportunity to explore threats and exposures and take appropriate actions to better protect their data, it seems that most businesses are still struggling to comply.

According to a recent poll by Deloitte, only 34.5 percent of nearly 500 professionals involved in GDPR compliance efforts say their organizations can defensibly demonstrate compliance with the new data privacy rules today.

Litigation, regulatory and internal investigation challenges could abound for others. One-third of respondents (32.7 percent) hope to be compliant within 2018. And, 11.7 percent plan to take a “wait and see” approach amid uncertainty over how EU regulators in various countries will enforce the new regulation.

“The fact that the GDPR effective date has come and gone and many are still scrambling to demonstrate a defensible position on GDPR compliance reflects the complexity and challenges as the world of privacy rapidly changes,” said Deloitte Transactions and Business Analytics LLP ‘s Managing Director Rich Vestuto.

Further, it seems as though only 13.6 percent of respondents are confident that their organizations know what data third parties have and are leveraging artificial intelligence (AI) and other technologies to analyze and manage third-party contracts for GDPR compliance.

A majority (56 percent) aren’t done discerning what data third parties have or the potential implications of GDPR on third-party contract management.

Some (10.2 percent) have yet to begin addressing third-party GDPR compliance at all.

From the looks of it, third-party contract management seems to be the biggest GDPR compliance challenge for most businesses.

Under the GDPR, organizations are responsible for ensuring privacy protection of EU-regulated data shared with or used by vendors and service providers, which requires those organizations to know who their vendors are and precisely what data those third parties hold.

“Updating or renegotiating contracts and agreements may help ensure third parties are GDPR-compliant when using your organization’s EU-regulated data,” said Vestuto.

Finally, it seems as though nearly half of the respondents (48.2 percent) said that their organizations’ data privacy programs are scalable to address pending rules in other jurisdictions even if their immediate focus is GDPR.

In fact, 19.8 percent reported that their organizations’ programs are focused solely on GDPR without scalability, potentially leaving them unprepared to deal with new rules elsewhere.

“Other jurisdictions beyond the EU are enacting more stringent data privacy protections. Data privacy programs should be scalable and requirements rationalized on a global basis to ensure that organizations are able to address current and pending rules in various jurisdictions as needed,” concluded Vestuto.