The long-awaited GDPR compliance deadline has arrived! For practical purposes, almost every company in the US and Europe can now fit neatly into either of two categories: (1) ready, or, (2) not ready. A surprising number of these companies (about 65%, according to a report by Solix Technologies) are placing themselves in the second group.
Right now, those who fail to meet the requirements of the new law may face various penalties, including possible financial penalties up to 20 million euros, or 4% of a company’s global revenue, whichever is higher.
In working with our clients on GDPR compliance, one of the biggest issues we’ve come across is that the regulations are unfortunately quite vague. We are thus advising our clients to err on the side of over protection until further clarity is obtained.
One example of this current vagueness relates to the GDPR’s “right to be forgotten”, a provision that grants data owners the right to have their data permanently deleted once they can no longer identify a compelling reason for that data to remain on file. Here are some of the most widespread and confounding questions posed by data managers on this point:
Will the “right to be forgotten” require all personal information to be purged from all systems, forever and ever?
Some organizations aren’t quite sure if the provision means that all data should be completely removed from existence, and this is a valid question, especially for healthcare providers. Moreover, this total deletion will be based on an explicit request and explicit permission provided by the individual, and some companies aren’t entirely sure what form that explicit request or permission will take.
Must personal data be protected from misuse and unauthorized access at every single stage of the lifecycle?
The answer is technically yes, but establishing a complete audit trail that follows each data point through its lifecycle from beginning to end is proving to be a difficult task for some organizations (especially smaller companies with leaner personnel and budgets). Some company tech leaders aren’t even sure where all sensitive data can be found within their systems, and a complete audit trail including consents, updates, transitions, and deletion is exceeding the reach of organizations that are likely to miss the deadline before they can resolve this issue.
Will companies be penalized for noncompliance even if the violations are unintentional?
According to survey results, some companies are still unsure if the GDPR applies to them, because they aren’t sure how many—if any—of their users and clients are EU citizens covered by the law. Like the questions above, this is a valid concern that isn’t easily resolved. And the mystery deepens for organizations that still aren’t sure where and how all personal information is stored within their own systems.
Despite the long runway leading up to the GDPR deadline, questions remain for a large percentage of organizations that simply don’t know how to proceed or how to get these issues resolved. Answers vary widely depending on each company’s business model and circumstances. If you’re facing these issues, deadline or no deadline, contact us and we’ll address any compliance gaps that still stand in your path.