In 2017, when the European Parliament announced plans to make the General Data Protection Regulation a reality, organizations sitting on large troves of customer data immediately took notice. They weren’t as quick, though, to take action to meet the regulation’s actual requirements.
GDPR compliance has been a tough road for many organizations targeted by the legislation. Half a year after it took effect, some still struggle with the technical side of things, while others are now noticing that their cost projections have been a tad too optimistic. Still, as time progresses, and leaders get more educated in GDPR matters, organizations worldwide are starting to take the European regulation very seriously.
Compliance and implementation costs
A survey examining the GDPR’s global impact six months in reveals that, in many cases, it cost more than anticipated to implement compliance tools, train staff and create better data protection policies.
“Though the survey showed a generally positive response to GDPR a half year after its implementation, many respondents said their companies paid more than they had anticipated for compliance with the regulation (41 percent),” according to Verasec, the smart card management company that commissioned the study from Survey Monkey.
“Another 41 percent said they were successful in keeping their costs on budget, and 18 percent said it cost them less to implement than they had expected,” the company said.
Respondents further cited challenges associated with compliance, including:
- educating internal employees (27 percent)
- lacking resources to complete the implementation (23 percent)
- communicating with customers (20 percent)
- addressing technical issues in a timely manner (20 percent)
Preparing for rainy days
Perhaps a more notable finding from the study: “non-EU companies are adopting similar regulations in anticipation of stronger customer privacy rules in their own locations.”
Bitdefender highlighted this trend a while back in a piece on how the GDPR is prompting renovation of data protection practices worldwide. While the regulation strictly protects personally identifiable information (PII) of EU citizens, its influence stretches beyond the EU and the European Economic Area, to any entity that collects or processes data of EU citizens, regardless of its location on the globe.
Despite more than half of the survey respondents saying their companies are based in the US and other non-EU countries, and despite not being required to comply with the GDPR, 70 percent said they are working hard to comply. Respondents said they were doing it as a standard practice, a general rule of thumb in an era increasingly dominated by data protection laws.
“About 50 percent noted that whether they have the rules or not in their countries, GDPR remains a good standard security practice. 30 percent also believe that more stringent privacy rules will likely be forthcoming across the globe. What's more, nearly one in four respondents not currently under GDPR control feel adopting the regulations now will help them as they prepare their companies for expansion into Europe,” according to the report.