More than half of companies affected by the European General Data Protection Regulation (GDPR) will not be in full compliance with its requirements by the end of 2018, according to Gartner Inc.
The European Union parliament began debating the GDPR in 2012 and the regulation was eventually passed in April 2016. The goal of the regulation is to align data privacy across Europe, in an effort to protect citizens' data and change how organizations approach their use of data. The GDPR goes into effect May 25, 2018.
"The GDPR will affect not only EU-based organizations, but many data controllers and processors outside the EU as well," said Bart Willemsen, research director at Gartner. "Threats of hefty fines, as well as the increasingly empowered position of individual data subjects tilt the business case for compliance and should cause decision makers to re-evaluate measures to safely process personal data."
The GDPR is the first big piece of European privacy legislation in the last 20 years, and once it goes into effect, companies that mismanage citizens' personal data may have to pay fines equaling up to 4% of their worldwide revenue.
Some companies are well into preparing for the new rules. Large cloud providers, for example, have been opening new data centers in Europe so they can keep EU-based data close to home. Companies like Google are also reaching out to customers to assure its commitment to the regulation and illustrate what measures it has taken.
But many smaller organizations have yet to begin the compliance process, and likely aren’t sure where to start. While tips are readily available, smaller organizations will still have to increase their investment to ensure their data practices are in compliance with the GDPR by the time it goes live next year.
Those most affected by the GDPR will likely be organizations that are currently free from EU data protection laws— namely data processors and those data controllers that are not established in Europe — both of which will find themselves liable for breaches of any EU data they have in their control.