Note: This blog was first published in February 2019 and is being re-published here for the first time.
The GDPR has been in effect since May of 2018. The question many companies asked ahead of time is, will the commission be aggressive in going after companies immediately, or will they wait awhile?
The EU went after the big guys immediately, Google, Facebook, and Oracle (to name just a few), probably to make a point that they are not kidding around. But it doesn’t look like smaller companies needed to worry as soon as the new privacy regulations came into effect. I was told before May 2018 by analysts that the EU would move gently in prosecuting non-big name companies to give companies time to put technology and processes in place. An analyst firm also told me that they expected that only 50% of affected companies would be fully compliant by the end of 2019 – they were right.
On January 28, 2019, the European Commission celebrated Data Protection Day by reporting that it has received 95,100 complaints about data practices and 41,502 breach notifications since the General Data Protection Regulation (GDPR) took effect in 2018. The claims cover telemarketing, email, and video surveillance. Also, the EC is probing 255 cross-border violations. These facts surprise me (especially based on the potential fines) in that there are so many organizations that have yet to do anything about GDPR compliance. These facts also highlight the humorous but true maxim:
“The GDPR is like teenage sex – companies all talk about it, none of them knows how to do it, they all assume everyone else is doing it, so they all claim to be doing it also.”
If the above is correct, there are still a considerable number of companies that are subject to the GDPR but are either painfully unaware of it or are choosing to ignore it. Reasons include:
- They don’t think it applies to them because they do not have facilities in the EU
- They assume it will be years before the EU starts to target non-multinationals. [all it takes is for EU citizens to file a complaint about your company to begin the process. Then the cost starts adding up].
You can’t close your eyes and just hope…
Let’s take a look at this situation in a bit more detail.
- The GDPR is like teenage sex – they all talk about it – Remember when you were a teenager… we didn’t have cell phones, social media, decent computer games, or a resource to study questions around sex beyond the obvious of talking to your friends – what else was there to talk about anyway? In reality, there has been no shortage of opinion, commentary, and marketing about the GDPR. Performing a basic internet search on the GDPR topic, Google produces 296 million results.
- None of them knows how to do it: I remember this one time at band camp… never mind, that’s a future blog. The GDPR is a complex law that affects companies worldwide. Many/most organizations have been deluged with “expert” opinions, marketing FUD (Fear, Uncertainty, Doubt), and a general lack of understanding from corporate regulatory and legal departments.
- They all assume everyone else is doing it: At that age, didn’t you think everyone was doing it – they said they were! (including you). It’s the same with the GDPR! Companies don’t want other companies (especially their competition) to know you haven’t yet started or completed your GDPR preparations – even though you should have complied back in May of last year.
- So they all claim to be doing it: Why not! It might make you look like the “experienced” one in school, and when asked about it, they won’t be able to figure out you’re lying anyway – they haven’t figured it out either. For GDPR compliance, it’s all in how you’re perceived – NOT.
All jocularity aside (mostly)
We are now almost a year into the GDPR. If you haven’t addressed it yet, you are playing with fire. Have you designated a DPO – data privacy officer and listed them with their contact information on your website? Have you included opt-in and opt-out descriptions on your personal information collection forms? Have you thought about data sovereignty requirements around data movement? Have you considered the right to be forgotten and secure deletions?
The most obvious red-flag for individuals looking for a quick payday is to troll websites looking for the DPO information. If a company doesn’t even have that, then they are a prime target to file against.
In reality, all it takes is for an EU citizen to file a complaint against your organization. Eventually, the GDPR authorities will be knocking on your door, wanting you to answer a bunch of questions about your data collection/retention practices on EU citizens.
Like Dirty Harry, the leading philosopher of the 20th century, once asked, “Do you feel lucky…punk? Well, do ya?”