New EU rules on data privacy come into effect this month.
The most important update to data privacy doctrine in 20 years goes into effect May 25, when the European Union adopts the General Data Protection Regulation (GDPR). Companies are still struggling to get compliant before the legislation is given the force of law.
GDPR applies not only to European companies, but to companies anywhere that process data about individuals in the context of selling goods or services to citizens anywhere in the EU. Protected information includes names, photos, email addresses, bank account numbers, social media posts, medical information or even IP addresses. Although the rules have been public for two years, “understanding how to meet those requirements remains a barrier for many organizations,” says Jim Reavis, CEO of the not-for-profit Cloud Security Alliance (CSA), which conducted a global survey of GDPR preparedness.
According to the CSA’s GDPR Preparation and Challenges Survey Report, more than 10% of companies still had no defined plan for compliance as of February, when the survey was taken. Although 71% of respondents felt confidence their organizations would be compliant on time, 83% did not feel very prepared at the time of the survey. More than a quarter reported little to no familiarity with the law, with respondents from companies in the Asia-Pacific region feeling less prepared than respondents from other regions.
The right to be forgotten, or “right to erasure” was cited by more than half as among the biggest compliance challenges. Furthermore, data assets must be mapped to business context diagrams and defined data flows, and these preparations were also cited as challenges.
The most popular methods to show compliance, according to the survey, are documentation of data-collection policies (68%), codes of conduct (56%) and third party-audits/assessments (55%).