- More than half of "GDPR-relevant companies," (General Data Protection Regulation) 58%, failed to address data requests within the designated one-month timeframe, according to research from Talend. By comparison, last year 70% of companies didn't meet requests on time.
- The average cost of a single data subject access request (DSAR) is $1,400, said the report, citing Gartner. The public sector, followed by media, telecommunications and utilities are the laggards of GDPR compliance.
- Companies can fail compliance when they lack a data privacy officer (DPO), have an inability to locate data or deleted data, and are overwhelmed. More than one-fifth of companies will rely on extensions allowed under article 12.3 of GDPR to provide all the requested data. The article states, in part, the period may be extended by two months "where necessary, taking into account the complexity and number of the requests."
GDPR got its teeth this year. Companies, including Google, British Airways and Marriott International, were handed record fines for intentional or negligent misuse of data.
Early in its enactment, GDPR fines were levied largely against big tech for data broking, but this summer British Airways and Marriott International reframed the cost of a data breach. Because GDPR is a comprehensive law, any violation of data privacy could result in a fine, regardless of the industry, the data, or how the data was mishandled.
The majority of companies, 80%, said GDPR implementation was more difficult than other data privacy or security requirements, according to a Ponemon Institute and McDermott Will & Emery report. Implementation was challenging because regulations fail to articulate what appropriate security standards are. Contacting regulators for guidance has also had difficulties.
Talend found that a lack of data control or visibility contributed to slower processing times and upticks in extensions, which could contribute to the risk of a breach. Organizations put privacy compliance on their security organization because DPOs don't operate in a vacuum. Infosec teams are often the right-hand men and women of the DPO.
Smaller organizations, without a DPO, will rely on the security chief for privacy compliance.
When companies struggle with tracking personal data or securing a request on time, it's because they don't have effective change management in place, according to Talend. So-called off-label solutions can moonlight as data privacy tools, including information rights management, and security and risk management.