According to an Ensighten survey of 150 UK brand and agency-side marketing decision makers taken prior to the deadline:
- “Just 26% of respondents said they felt “very confident” that their data governance procedures were robust enough to be classified as compliant by the looming 25 May deadline.”
- “45% of UK marketers have said their business is setting money aside to cover any potential fines issued by regulators.”
- “With less than one month to go until the Information Commissioners Office (ICO) starts enforcing the rules in the UK, 61% of marketers said that they would apply for an extension on the target date if there was an option to do so.”
In short, this means that companies still have a lot of work to do to ensure they are GDPR compliant. However, like any company that is facing a regulatory change that impacts their core processes; they are facing significant challenges. SEI has helped prepare numerous companies for GDPR. Here are a few of the key challenges we’ve observed.
Challenge #1: Notices & Consents
To address these challenges, companies need to undertake a comprehensive effort to map all pages on their websites, understand their purpose, determine if consent is required, and update the sites accordingly – and in the appropriate language. Once complete, the challenge becomes how to remain compliant as new pages are developed. It is critical that as companies implement their notices and consents, they include the implementation of good business processes that will ensure they remain compliant as new content, and potential products or services that require personal information, are added.
Challenge #2: Personal Data & Data Subject Requests
Should your company handle EU personal data, there needs to be fast, reliable answers to topics including the type of EU personal data your company has, and more importantly, what is happening with the data. Also, should someone want to make updates to, or requests the deletion of, their data…is there a process in place to address? But how is all this done? Consideration should be given to gaining an understanding of applications/systems that might contain personal or sensitive information on an EU citizen and then identify a cross-functional team including Legal, IT, Compliance and Communications members to conduct a simulation on your organization’s readiness to understand potential gaps or areas for improvement in process and procedures.
Challenge #3: Adapting to US-based and other Global Privacy Regulations – now and in the future
Below are a few current legislative efforts that have either recently passed or are currently being considered, which illustrate the imperative for an adaptive compliance model.
- California Consumer Privacy Act of 2018: Companies that store large amounts of personal information will be required to disclose the types of data they collect, as well as allow consumers to opt out of having their data sold.
- S. Res. 523 — 115th Congress: A resolution encouraging companies to apply privacy protections included in the General Data Protection Regulation was introduced on May 24, 2018 (one day before GDPR went into effect) encouraging companies to apply privacy protections included in the General Data Protection Regulation of the European Union to citizens of the United States.
- 2179 — 115th Congress: Data Security and Breach Notification Act was introduced on November 30, 2017 to create the first-ever federal standard for punishing breaches where consumers have had their personal health care information, Social Security numbers, credit card numbers, and email addresses hacked
While GDPR specifically pertains to EU personal data, companies need to develop their data privacy programs so they are adaptable to future regulations and laws. Failure to do so increases the risk of potentially spending significantly more time, money, and resources than would otherwise be necessary to comply with new legislation – or worse, incurring penalties and fines, which could be devastating to some companies. Don’t get caught off guard. Find the right partner to help you navigate your data privacy program to GDPR compliance and beyond.