The EU’s General Data Protection Regulation, which went into effect on May 25, imposes new data privacy obligations on all organizations that process the data of EU citizens, whether or not they are based in Europe themselves. The maximum penalties for noncompliance are hefty, so it is essential for businesses to ensure that their practices are GDPR-compliant if they haven’t already.
According to a survey on the eve of the regulation coming into effect, however, most organizations have not yet finished making the required changes, while many do not expect to be fully compliant by the end of this year. Much work still remains to be done to bring organizations into initial compliance with the regulation, and still more work to re-develop data collection, storage, and analytics programs in a compliant manner.
With every organization doing a huge amount of work for the first time and trying to get right with the GDPR as quickly as possible, this makes for a fertile environment for bad information to circulate and for opportunists to take advantage of organizations’ unfamiliarity with the new regulatory terrain. Organizational leaders need to be vigilant about which “experts” to trust for guidance on GDPR compliance, take advantage of the information provided directly by the European Commission, and bear in mind that different functions, particularly HR, face unique compliance challenges.
Step 1: Beware of Charlatans
The proliferation of bad advice and information is a simple matter of supply and demand. Demand for advice is high, both because of the global impact of the GDPR and because so many organizations were not proactive in planning for compliance are now scrambling to catch up. The supply of that advice is scarce and of uneven quality, with no historical track record of performance. Over the past few months, many companies have been assembling data protection functions and hiring data protection officers (DPOs), causing a run on the thin supply of qualified talent for these roles.