What Does GDPR Compliance Have in Common with Sex Education?

Perhaps you remember sitting through a class in high school billed as “sex education,” yet finding it dealt so indirectly with the topic that it was difficult, if not impossible, to discern the pertinent details that would help you understand what you really needed to know in this area. When faced with a real-life situation, many of us thus stumbled in blindly.

If you know anything about the General Data Protection Regulation (GDPR), then you’ll see the close analogy here. While the regulation has been in effect for almost a year now, many companies are still failing to grasp and act on the necessary details to stay compliant — the equivalent of closing their eyes and hoping for the best.

Dan Ariely, Duke professor of psychology and behavioral economics, expressed this concept succinctly in relation to big data when he tweeted:

“Big data is like teenage sex: everyone talks about it, nobody really knows how to do it, everyone thinks everyone else is doing it, so everyone claims they are doing it…”

The fact is that this astute truism fits the GDPR just as well. Many organizations aren’t addressing GDPR compliance at all. The proof of that assertion is in the complaints: As of the end of the first month of 2019, the European Commission reported that since May 2018, when GDPR went into effect, they have logged a mind-boggling number (95,100) of gripes related to organizational data practices — including email, telemarketing and video surveillance — as well as over 40,000 notifications of breaches and hundreds of cross-border violations. This is true, despite the high fines that companies face for noncompliance.

And in fact, the threat of financial repercussions is real, as many companies have already been on the receiving end of noncompliance fines. Industry analysts have suggested that only around half of organizations are expected to be GDPR compliant by the end of this year — foolish for the other 50 percent, since enforcement of the regulations will continue to escalate.

How steeply will it escalate? A look at what has happened to date holds a clue. If you were among those last May wondering how aggressive member states of the European Union (EU) would be in targeting companies that failed to protect data, you didn’t have to wait long for an answer. Analysts had originally speculated that when it came to smaller firms and organizations without big names, EU members would show mercy and give these types of companies some time to adjust to the regulatory mandates, so that they could gradually put technology and processes in place rather than be prosecuted immediately for violations. This prediction of leniency has not turned out to be the case — neither for either big-name nor under-the-radar companies.

Within hours of the GDPR taking effect, tech titans Facebook, Google, Instagram and WhatsApp received almost instant privacy complaints that could result in penalties of as much as $9.3 billion in total. And just months after the regulation’s enactment, EU citizens went after some of these same behemoths, including Facebook, Google and Oracle (not to mention smaller players), showing that GDPR has sharp teeth. Google, for example, got hit with a $57 million fine on multiple counts, including lack of valid consent regarding personalization of ads, lack of transparency and inadequate information.

In terms of non-big-name organizations, there are countless examples of steep fines being levied for data privacy infractions, such as:

• When a small Austrian company captured too large of a public forum in its public camera feed, it was fined.
• A Portuguese hospital got dinged a painful €400,000 for employees accessing patient data improperly.

These examples suggest that a shift in rules about public surveillance is in order, as are stronger measures enforcing user controls and internal access. Why, though – when the evidence is clear that GDPR is being enforced and companies are being fined – are so many organizations ignoring these realities and so few organizations doing what’s necessary for compliance? I can offer a few educated guesses on this:

• Some companies that should be following the regulations but don’t have facilities in the EU may still erroneously believe that GDPR does not apply to them.
• Other firms may incorrectly assume that they have years before EU members begin fining non-multinationals.

These suppositions just aren’t true — if even one EU citizen feels disgruntled with your data privacy policy in relation to the GDPR and files an online complaint against your organization, you could find yourself added to the list of fined offenders above. If someone files a complaint, you’ll find yourself in the spotlight as EU member authorities target you to explain in detail about your data collection and data retention practices on EU citizens. So while closing your eyes and hoping for the best may be an easier approach, it’s not a smart one — especially with the California Consumer Privacy Act (CCPA) poised to take effect.

The good news is, you have a major advantage over those poor teens sitting in sex ed who didn’t have the information they needed to feel empowered and educated; the information about how to stay GDPR-compliant has been widely published, is readily available and awaits your action. As a reminder, at the almost one-year anniversary of GDPR’s initiation, here are five of the most important steps you can take to protect your company from noncompliance fines:

1. Hire or designate a Data Privacy Officer (DPO). Be sure to list this individual on your website with his or her contact information. If you don’t, it’s a red flag for people trolling company sites hoping for a victim based on GDPR noncompliance, since companies that lack a DPO are seen as a sitting duck for a quick payday.
2. Be sure your organization’s information management system has clear policies in place that support GDPR compliance functionality.
3. Include information for customers about how to opt in and opt out on any collection forms that gather personal information.
   
4. Consider data sovereignty requirements around data movement.
5. Consider the right to be forgotten and determine how you would conduct secure deletions if requested or required.

Ready to move from claiming you’re doing it right (or praying you are) to getting the job of GDPR compliance done? Flying blind is no way to travel; savvy companies know better and have implemented an end-to-end solution for information management and archiving. Take the next step and learn to approach data collection and management with GDPR in mind.

This post was originally shared on the Archive360 blog and is republished here with permission.