GDPR led to "three levels of denial" from companies, including avoiding compliance, rebranding policies or playing the "wait and see" game, said Sara Jodka, counsel at Dickinson Wright for data privacy and cybersecurity, in an interview with CIO Dive.
Because "every company is a different animal," the learning curve surrounding GDPR varies, along with any perceived impact of violations, according to Jodka. But failure to at least procure a registered agent to process complaints or serve as a point of contact for EU customers could put companies in the "crosshairs" of regulators.
For some companies that failed to comply by May 25, instead of taking a chance with incomplete compliance, they are intentionally bowing out of EU service until all requirements are met. These companies are effectively taking a "responsible" hiatus from providing to EU customers even if it costs them time and money, said Jodka.
Jodka has experienced firsthand some of the opposition U.S. companies have to GDPR. Organizations have accused the regulation of "just scaring U.S. companies," while others are hardline on the belief that a European regulation cannot be enforced in the U.S.
Some companies expressing resistance in a less defensive way have turned to the facade of rebranding externally facing protocols without the internal functions in place to reinforce them.
But rebranding is often a part of the "wait and see" practice some companies are embracing under GDPR. Companies adopting this approach are waiting to see the ramifications of a similar-sized "guinea pig" facing GDPR violations.
Trying to work around regulations is not something any company can afford long term, particularly in the face of steep fines. Taking the necessary time and steps to assure full compliance is like "making sure your product is right" instead of "having to recall it because it didn't work," said Jodka.