The European Union’s General Data Protection Regulation remains a difficult-to-grasp wild card for many organizations, with compliance concerns still top of mind. In one recent study, some organizations said full compliance might be impossible.
Six months after the effective date of the European Union’s General Data Protection Regulation, organizations are still grappling with GDPR’s practical impact and compliance challenges.
More than half of respondents to to a recent survey [PDF] by the International Association of Privacy Professionals (56 percent) said they still haven’t complied with the regulation, and one-fifth said that full compliance may be impossible. The average organization spent $3 million on compliance efforts.
“But there is good news: The GDPR looks a lot less complicated and confusing in practice than it initially did on paper,” IAPP said in a news release. “While privacy professionals are still struggling with certain tasks, difficulty scores have dropped considerably for every individual compliance process.”
Lingering issues with GDPR may be creating side effects that could prove problematic in the long run. Among them:
Headaches in the merger process. A recent report from Merrill Corporation says that acquisitions in many parts of the world, including the European Union, Middle East, and Africa, have been held up due to concerns with GDPR compliance. More than half of respondents said that compliance concerns with a target firm that emerged in the due-diligence process stopped an acquisition dead in its tracks, and two-thirds said it would lead to increased scrutiny.
Unexpected security problems. Recently, a plug-in used by a number of WordPress sites for GDPR compliance purposes was hacked, allowing attackers to store malicious commands in a WordPress installation. The attack was ironic: A plug-in intended to protect data privacy could itself be used for identity theft. GDPR creates new variables, and similar attempts to take advantage of them may crop up in the coming months.
Departures from the EU market. Some organizations have chosen to comply with the regulation by removing their websites from the European market entirely. In the media space, for example, Tribune Publishing (which recently reverted to its original name, from Tronc), has blocked EU visitors from accessing most of its news outlets, with a promise that they will eventually be able to return. But this strategy seems unlikely to be effective in the long run, as support for new data privacy rules in the U.S. is growing.
Confusion about violations. There remains substantial uncertainty about whether compliance efforts actually meet GDPR’s requirements. At Digiday’s Programmatic Media Summit, an unnamed participant mused, “We almost need someone to get in trouble to set an example for the rest of us to know what not to do.” Because that example has yet to emerge, organizations are likely to be wondering whether all the work they put into compliance was enough.