Data: Is GDPR becoming a compliance nightmare?
April 25, 2018 11:20 AM
The European Union's General Data Protection Regulation is one of the most ambitious undertakings to date to protect European consumer data and make accountable the companies that use or store consumer data for any reason.
While it further establishes ownership of one's own data as a right, GDPR also calls for companies to know where data is stored, how it has been or will be used, who has access to it, and why.
As such, many in Europe and the U.S. view GDPR, which will replace the 1995 Data Protection Directive when it takes effect May 25, as Europe's first true data breach protection measure — in part because it requires notification of any breach within 72 hours.
But for many, it's simply a complex and costly race to the deadline.
While it further establishes ownership of one's own data as a right, GDPR also calls for companies to know where data is stored, how it has been or will be used, who has access to it, and why.
As such, many in Europe and the U.S. view GDPR, which will replace the 1995 Data Protection Directive when it takes effect May 25, as Europe's first true data breach protection measure — in part because it requires notification of any breach within 72 hours.
But for many, it's simply a complex and costly race to the deadline.
The EU seeks to establish complete transparency for the consumer. The GDPR goes beyond being open about company policies, as it calls for more complete customer service in terms of responding to consumer questions about their data use or its status at any given time.
In that area, European consumers indicate they feel much better about companies with that sort of truthfulness toward data handling, as research from late in 2017 reports up to 72% are either somewhat or very trusting toward those types of companies.
In that area, European consumers indicate they feel much better about companies with that sort of truthfulness toward data handling, as research from late in 2017 reports up to 72% are either somewhat or very trusting toward those types of companies.
Business leaders in Europe have had quite a few political events to wrap their minds around, in addition to changes in financial services through PSD2 and now in data security with GDPR.
Though GDPR is likely getting far more attention as the May 25 compliance deadline nears, the task at hand in getting unaware companies on board was evident late last year when the topic rated lowest on an awareness scale for business leaders at 32%, while Brexit was dominating European minds at nearly 90% awareness.
Though GDPR is likely getting far more attention as the May 25 compliance deadline nears, the task at hand in getting unaware companies on board was evident late last year when the topic rated lowest on an awareness scale for business leaders at 32%, while Brexit was dominating European minds at nearly 90% awareness.
Like any major payments or data security initiative in Europe, the awareness of what a project entails varies by country.
IT decision makers at small to medium-size businesses in France, the U.K., Germany and Italy have the most awareness and good levels of knowledge about GDPR. In comparison, one in 10 respondents in Denmark and Norway had no awareness of GDPR at all earlier this year.
In the majority of regions surveyed, IT professionals are unlikely to say that they have a "good knowledge," about incoming regulations, preferring instead to say that they are aware of "some of the details." This could reflect both the complexity of the regulations themselves, and an overall lack of awareness outside of the larger businesses, corporations and financial institutions.
IT decision makers at small to medium-size businesses in France, the U.K., Germany and Italy have the most awareness and good levels of knowledge about GDPR. In comparison, one in 10 respondents in Denmark and Norway had no awareness of GDPR at all earlier this year.
In the majority of regions surveyed, IT professionals are unlikely to say that they have a "good knowledge," about incoming regulations, preferring instead to say that they are aware of "some of the details." This could reflect both the complexity of the regulations themselves, and an overall lack of awareness outside of the larger businesses, corporations and financial institutions.
Even though GDPR's emphasis seems clearly focused on the handling of data in Europe, companies in North America that deal with European consumers must also comply with the regulation.
With only 6% of surveyed IT professionals in North America saying their companies were completely prepared for GDPR as of two months ago, it means that 84% are in various stages of preparedness, or don't deal with enough European consumers to address the different facets of the regulation.
With only 6% of surveyed IT professionals in North America saying their companies were completely prepared for GDPR as of two months ago, it means that 84% are in various stages of preparedness, or don't deal with enough European consumers to address the different facets of the regulation.
Data privacy is carrying more weight with all consumers, so the GDPR is certainly catching the attention of financial institutions of all sizes.
At the same time, U.S. banks that may have only a few European customers are likely to approach the regulation cautiously to determine to what extent it will have to rework networks and policies to comply to GDPR. In many cases, they are already working under past European privacy directives and might not need to alter their approaches.
Manypayments providers also feel they are ahead of some other industries in terms of handling personal data as it would apply to GDPR.
Still, if a European customer of a U.S. bank makes a data privacy complaint to EU regulators, that bank will come under scrutiny.
At the same time, U.S. banks that may have only a few European customers are likely to approach the regulation cautiously to determine to what extent it will have to rework networks and policies to comply to GDPR. In many cases, they are already working under past European privacy directives and might not need to alter their approaches.
Many
Still, if a European customer of a U.S. bank makes a data privacy complaint to EU regulators, that bank will come under scrutiny.
Companies across the globe seem to agree on one overriding compliance aspect of GDPR — it will be at least as difficult as any other privacy or security measure they have dealt with in the past.
The complexity of the GDPR requirements will be a major task for most companies as they seek to deploypseudonymization , or the practice of storing each part of a consumer's personal or payment credentials in separate silos; or anonymization, which establishes a unique security measure known only by the company and relies on tokenization when data is moved.
Forty-seven percent of IT respondents to a Ponemon Institute study released this month admitted they did not know where to start their path to compliance. Of the 53% who said they did understand compliance requirements, 92% of those said their organizations have appointed data protection officers to help carry out the tasks.
The complexity of the GDPR requirements will be a major task for most companies as they seek to deploy
Forty-seven percent of IT respondents to a Ponemon Institute study released this month admitted they did not know where to start their path to compliance. Of the 53% who said they did understand compliance requirements, 92% of those said their organizations have appointed data protection officers to help carry out the tasks.
