GDPR: A Year Later
The IAPP, which is based in Portsmouth, N.H., has been critical of the GDPR from day one, saying that it is incoherent, inconsistent in its interpretation, and incomplete.
One of the biggest shortfalls for businesses right now concerns the GDPR provisions requiring a full accounting of all the information organizations hold on consumers upon request within one month. Research shows that just 35 percent of European companies and roughly half of companies outside of Europe could fulfill that request.
"Many companies are beginning to master the basic notification aspect of GDPR while also identifying the source of data involved but have not fully embraced all aspects of the regulations," admits John Nash, chief marketing and strategy officer at RedPoint Global, a U.S. marketing technology vendor.
Finances play a big part in this, according to Nash. "Many organizations lack the budget to achieve compliance with GDPR because their executives feel that investments related to compliance are nothing more than a sunken cost that doesn't support revenue growth goals," he states. "In this light, they will slowly roll out policies and controls and then automate the function with as minimal of an investment as possible."
Another obstacle has been a high level of uncertainty about which firms had to follow the new regulations, according to Jai Davda, director of infrastructure at FormAssembly, a U.S. firm that offers applications to help businesses design, build, and manage web forms and surveys.
"There was a lot of ambiguity regarding requirements," he says. "User education was and is still an ongoing challenge, especially with regards to geographical boundaries."
There is still some disagreement as to whether European companies are ahead of the rest of the world when it comes to GDPR compliance. "Companies in the EU certainly seem further ahead with their compliance efforts and practices, having started working on solutions long before the international community," Vernhout says.
But even he concedes that "many organizations all over the planet are still looking at their obligations under the legislation, trying to determine what is applicable to them and their portions of processing an individual's data."
Qubit's Carvel also fears that there's still much confusion in that regard. "I think that a lot of U.S. companies still do not realize that GDPR affects them," he says.
Experts in general widely agree, though, that companies should simply assume that all aspects of the GDPR apply to them, even if that is not the case at the moment. The consensus thinking is that the GDPR, while flawed and not yet widely enforced, will quickly spread to other parts of the world.
The GDPR has already garnered international attention, with similar legislation in the works in countries like China, Japan, India, Brazil, and New Zealand.
In India, for example, a government committee last summer released the Personal Data Protection Bill of 2018, and in Brazil, the General Data Protection Law (LGPD) is scheduled to come into force in early 2020. Both are modeled closely on the GDPR.
Canadian officials are also expected to update the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how private-sector organizations in Canada collect, use, and disclose personal information. PIPEDA has been in effect since 2000 and is long due for an overhaul.
Even in the United States, attention around the GDPR has been mounting. California last June became the first U.S. state to enact comprehensive rules governing the rights of consumers around control of their personal information. The California Consumer Privacy Act (CCPA) will give state residents access to their information and let them determine which information about them can be collected, sold, or released to third parties. The new rules are due to take effect Jan. 1, 2020.
The California rules are being hailed as a starting point, but experts would prefer to see the U.S. federal government enact a piece of national legislation. They strongly warn against individual states passing their own forms of GDPR rather than having a universal policy across all 50 states.
"A state-by-state approach might cause some fragmentation" in the United States, Zuant's Gillett argues. It's a concern that is shared by others in the field.
"A national GDPR-like regulation is key to resolving conflicting regulations that would happen if each state implements its own GDPR-like regulations," Nash warns.
Carvel argues that companies might not take the CCPA seriously because it is only a state law rather than federal legislation.