Why GDPR remains challenging, one year in
Because various aspects of the General Data Protection Regulation were made public two years before they became official law, European lawmakers naturally felt it gave companies plenty of time to get data security compliance in place.
But it appears most companies either lost track of time or haven't solved the compliance puzzle yet.
As GDPR and its support for privacy of consumers edges toward its first anniversary next month, many companies are still trying to comply — and avoid hefty fines — by first getting a fuller understanding of their own data policies.
"Most companies did not prioritize this topic and did not take protection seriously," said Dietmar Rietsch, CEO of Pimcore, a Salzburg, Austria-based software vendor specializing in organizing digital data and breaking down data silos common at most companies. "Now, one year following GDPR implementation, we are in a situation where many major companies are still struggling to comply."
A survey of more than 600 companies from research firm TrustArc shortly after GDPR was official last May indicated only 20% of companies handling data in the U.S., U.K. and European Union were compliant, though 53% indicated implementation phases had started.
But a study of 600 companies at the end of 2018 from International Association of Privacy Professionals indicated 50% of companies were still not compliant, with 20% saying they felt GDPR compliance would be impossible.
For companies still struggling, Rietsch said a common thread is not having "a proper data management strategy in place" at the time GDPR became law for any company handling the data of European consumers.
Among other things related to best practices for storing and managing data, GDPR clearly placed the control of personal data with consumers. The law called for companies to be able to explain to inquiring consumers where their data was stored and for how long, and what that data had been used for or shared since initial business with the company. After that sort of disclosure, the consumer could choose to have his or her data taken out of the company database.
Because companies have had some trouble complying with the key GDPR mandate of responding to consumers making requests on behalf of their own data, it points to a major problem associated with the lack of a data strategy.
A data management strategy is "a necessary prerequisite for knowing where data is stored and understanding the relationships between data records," Rietsch said. "Getting this clear picture of enterprise data is still giving companies many headaches nowadays."
One aspect of GDPR that some companies have embraced calls for the "pseudonymization" of data by segregating an individual's information in separate files. In that manner, if a hacker somehow got into a data storage vault of a network, not all of the pertinent information for one person would be in one place.
While it is an effective security measure, that practice has created difficulties in how companies embrace, monitor and manage siloed data to avoid it creating slowdowns.
"This can still be part of a strategy, however it is also necessary to work with up-to-date data encryption," Rietsch said. "Storing data in silos might have some benefit, but it also has many disadvantages."
That type of storage can make processes slower, Rietsch added, especially when a company wants to obtain a full picture about an individual, or if it would like to remove a data record from the system completely.
"You have to delete data after a certain time if there is no necessary reason to keep it, for example, if the business partnership ended," Rietsch said. "That is part of the regulation."
Getting a strong data management policy in place is vital to GDPR compliance, in part, because it would signal to the public that the company understands privacy, said Bart B. Willemsen, Gartner vice president and analyst, and Fellow of Information Privacy.
"It's not data that needs privacy, it's people who need privacy," Willemsen said. "Security may keep safe what we have, but privacy dictates above what personal data we should have in the first place."
If a company realizes it can achieve the same purpose but process less personal data, it is mitigating privacy risk at the start, where it belongs, Willemsen added.
"That is business process re-engineering and it goes beyond IT or security," he said. "Organizations don't exist to process personal data, they process personal data to exist. Meaning, data has a purpose, but should be used only in that context."
As an example, Willemsen said a company holding a database of 30 million transactions to comply with national tax laws stating those transactions should be retained, should assure that only people involved with that compliance should have access to it.
"The problem is, many companies keep that on their regular database," he said. "When records expire, they should be cleared out. You don't want your data warehouses to look like my grandfather's attic."
Moving into 2019, there was a sense that other countries were interested in Europe's GDPR and would possibly consider adopting their own version of it. The U.S. has been showing some desire for stricter data control laws, with California establishing its own version of GDPR with the California Consumer Privacy Act. That regulation is set to go into effect in 2020 with an emphasis on more transparency for third-party companies that handle or store consumer data. Washington also has a new privacy and data protection law in place, while Texas has begun crafting one.
Other countries, such as Brazil, Argentina, India and Egypt, are updating current data security and consumer privacy laws.
"In the last 18 months, more has happened within the realm of privacy than in the entire century before that," Willemsen said. "It means we are behind in our data governance and our granular control over personal data. If there was no problem, there would not be so many laws popping up globally to protect the value of privacy."
Organizations that say it is impossible to comply with GDPR at this point "either lack resources or a full understanding of the relevance of these regulations," Willemsen said.