Editor's note: This article is part of CIO Dive's ongoing coverage of privacy in the enterprise. For more, check out CIO Dive's Data Privacy Trendline.
General Data Protection Regulation caused headaches before enactment. A year later, the pain lingers.
The main criticism of GDPR was that it laid down rules, but failed to determine what the regulation was trying to solve. As a result, initial resistance to GDPR led to change in externally-facing policies, leaving the under-the-hood changes to come later.
Regulators started to find their "teeth" this summer after a lull in penalties throughout much of 2018. Fines have been levied against Facebook, Equifax, Uber, Google, British Airways and Marriott for negligent and intentional misuses of consumer data. It also marks the first year of substantial penalties hitting industries outside of technology.
As regulators grow more comfortable with assigning fines for data misuse, GDPR-induced headaches will continue. Here are five ways GDPR has impacted industry:
1. Missing deadlines
Eighty percent of organizations saying GDPR implementation was more difficult than other data privacy and security requirements, according to Ponemon Institute and McDermott Will & Emery report of more than 1,200 international organizations.
"You want to know what's expected of you," said Richard Weaver, chief data protection officer at FireEye, in an August interview with CIO Dive. But regulations don't define what "appropriate" security is and "it can be difficult to try to proactively reach out to data protection authorities for guidance."
Most organizations missed the May 25, 2018 deadline and only about one-quarter of European organizations have said they've reached compliance in 2019. By comparison, 36% of U.S. organizations reached compliance.
"GDPR covers companies outside the EU, and it has robust data subject rights that require back-end processes. U.S. companies are just getting used to that," Mark Schreiber, a partner at McDermott Will & Emery, told CIO Dive.
2. Calling out breaches
Half of the survey's respondents had data breaches that required reporting to regulators and 46% had at least two breaches worthy of informing regulators.
"Historically in Europe there was no universal tradition of notifying breaches and so we expected that it would take a while before companies became used to changing their behavior," Ashley Winton, a partner at McDermott Will & Emery, told CIO Dive. "It is notable that such a large percentage are reporting breaches and telling for companies that have not yet made a data breach notification."
Confidence in reporting breaches to regulators is low. Only 18% of respondents say they can inform regulators of a breach within 72 hours of discovery.
But not all breaches are reportable, according to Winton. An unavailable system or inappropriate security use, for example, are "not reportable." Reports are reserved for breaches that only impact consumers.
"Even if a breach of a type that is reportable, if the breach is unlikely to result in a risk to the rights and freedoms of individuals then there is no need to report that breach either," said Winton.
3. Implementing a DPO
In preparation for GDPR, 90% of organizations appointed a data protection officer (DPO). In 2019, 92% said they added the role, according to the survey.
But only 64% of organizations in 2019 have conducted an assessment in their ability to comply with regulations.
Under GDPR, companies can have a DPO or chief privacy officer. The only requirement is the role remains independent and reports directly to the C-suite.
"It's a very specific title. And so many CTOs also hold that title," said Weaver.
In addition to comprehending privacy laws, the CPO or DPO must also understand the technological backend: how data is stored, collected and used by their company. Finding one person with expertise in both areas is challenging, enabling the privacy head to overlap in executive responsibility.
4. Keeping an eye on compliance
Negligent insiders were the primary cause of data breaches, followed by third-party threats and cyberattacks, but 35% of respondents don't know the cause of their breach.
It's "a concern that companies do not understand the cause of the breach as presumably that increases the risk of the breach [recurring]," said Winton.
Organizations identify IT security as the most responsible party for GDPR compliance. But "the bottom line is the DPO doesn't operate in a vacuum," according to Weaver. "My twin is the infosec department."
Smaller organizations tend to consolidate, giving the person who is thinking most about risk — the CISO— the responsibilities a chief of privacy would normally take on.
Conducting privacy impact assessments, for identifying the who, what, where, when and why of data collection, requires a privacy-security intersection. DPOs have to work with those "who have their heads under the hood," said Weaver.
5. Haunting penalties
Non-compliance concerns are largely the same from 2018 to 2019. Fines and penalties are a constant pressure for maintaining privacy protocol.
This year fines caught up with offenses made while GDPR was in effect. The result, other than a tarnished reputation, is reserving funds dedicated to potential penalties. Nearly three-quarters of organizations have a GDPR budget with 35% expecting the budget to get an annual renewal.
The expansion of consumer rights is also a top concern for 38% of organizations in 2019.
"It is interesting to see that some companies are choosing to adopt GDPR for their U.S. operations even where it is not mandated by law," said Winton. "Perhaps they are taking the view that U.S. law privacy law will move closer to the GDPR standard."