GDPR, the European regulation on data protection and privacy (and whose letters actually stand for General Data Protection Regulation), aims to make enterprises more accountable for the protection of EU citizens’ personal data. In a stark deviation from the earlier data protection directive, GDPR places data protection responsibility on both data controllers and processors. The following figure provides a comprehensive view of GDPR and its many requirements.
Since GDPR became legally binding on May 25, 2018, it has brought the discussion around privacy of personal data to the forefront. It has mobilized data subjects to action, and enabled them to play a pivotal role in ensuring protection of their personal data, while holding enterprises accountable for any data breaches or non-conformity to data subject rights as provided by GDPR.
GDPR has received a lot of flak since it was approved by the EU Parliament in April 2016. Common complaints focus on the enormous fines associated with non-compliance – 2-4 percent of the company’s annual turnover – and the high cost of compliance, which could reach up to millions of dollars.
Given the hefty fines, one would expect enterprises to be shaking in their shoes and adopting a more proactive approach in complying with all of GDPR’s requirements. However…
Enterprises are Taking a Blasé Approach to GDPR
…More than a month past the deadline, enterprises’ response to GDPR compliance remains lukewarm. Consider the following comments from Everest Group clients:
“25th May is not the end. In many places, it starts off the journey to data privacy. We are in a good position, but we still have a lot to do after the 25th.”
– Director of Transformation at a financial institution
“GDPR involves huge amount of money, and I am not sure if it’s necessary. I don’t know what we are gaining from it, or if it offers any value to the organization. We could be spending the same money elsewhere for more value.”
– Head of Platform Delivery at a leading financial institution
Our GDPR research with enterprises across verticals and regions suggests that enterprises are not breaking into a cold sweat and are adopting a strategy based on minimum viable compliance. As counterintuitive as it might sound given the high cost of non-compliance, 90 percent of enterprises are adopting a “wait-and-watch” or “good enough compliance” strategy. They are making basic remediations to existing systems and processes, while exerting caution in making heavy investments towards compliance.
Of course, there are region and industry specific variations. U.K. enterprises are way ahead of the curve than their counterparts in the Middle East. B2C businesses are adopting a more proactive approach than B2B firms. Still and all, most enterprises embarked on their GDPR compliance journey only a few months before the legally binding deadline, leaving a lot unaddressed, untouched, and unfinished. In fact, our research revealed that only 10 percent of enterprises were compliant with all the requirements of GDPR before the deadline.
A Golden Opportunity to Build Trust
Even before GDPR, enterprises had to comply with a series of regulations affecting different aspects of their business, including personal data. Today, enterprises perceive GDPR as an ongoing part of business-as-usual. This assumption, though flawed, is leading them to believe that a simple approach focused on demonstrating their intent to comply, rather than actually being compliant, will be enough to evade the hefty non-compliance fines.
However, by basing their GDPR strategy on such assumptions, enterprises are exposing themselves to reputational and financial risks. There is no dearth of examples to support this viewpoint. Data breaches were a significant factor responsible for both Uber and Yahoo’s drops in valuation. Adobe had to pay US$1.1 million in legal fees and an undisclosed amount to users to settle data breach claims. With the Cambridge Analytica scandal, Facebook’s stock price plummeted, and the court summons only darkened the existing stain on firm’s reputation.
Data breaches have made today’s digital world deficient in trust. By choosing not to invest in GDPR, enterprises are losing out on a golden opportunity to build trust with their customers and stakeholders, and make their security systems/data protection methodologies robust.
Further, if, as expected, GDPR inspires other economies to introduce similar data privacy standards, compliant enterprises will benefit in the long run and enjoy seamless access to the global markets. Hence, a piecemeal approach to compliance will derail enterprises’ train, and slow their ride to the global opportunities provided by the data powered economy.
For a detailed view of enterprise GDPR priorities and investments, along with leading service provider capabilities in driving compliance, please download our report entitled GDPR Services: Gross Disconnect in Perception and Reality – Services PEAK Matrix™ Assessment 2018.