Duncan Brown, associate vice president, European infrastructure and security at IDC, has spent a lot of time thinking about the General Data Protection Regulation (GDPR). The longtime analyst and author has been hard at work leveraging research and running workshops to get a better picture of the state of GDPR-compliance and to advise businesses as to how they can navigate their way through this new world.
Armed with the IDC’s latest research on the subject, Brown sat down with CMO.com to offer a helicopter view on life before and after 25 May, what companies have been doing, and what they could be doing better.
CMO.com: The atmosphere before 25 May, when the GDPR went into effect, was quite frantic, and it seemed like a lot of companies weren’t properly prepared. What does the scene look like today?
Brown: There’s no definitive and objective view of compliance--it’s in the eye of the beholder. [The GDPR sets out] seven principles, and attached to those are certain requirements that you must comply with, but it comes down to interpretation. Ultimately, it’s about being able to defend the measures you’ve taken.
Some companies have taken a risk-based approach. They’ve worked out that the price of a comprehensive change will outweigh the cost of a possible fine or sanction, so they have decided to do some things and not others. Partly that was driven by a lack of preparation early, on but it’s also just a matter of being pragmatic.
I think around 50% of companies across Europe are in a reasonably good position. A small minority of those are super compliant, but I would say the majority are pragmatically compliant. That means that they’ve made a business assessment and said they’ll focus on certain data sets and requirements, but not others.
CMO.com: Do you see any trends across certain industries?
Brown: In general, I think some industries are more comfortable with regulations and compliance, such as financial services, oil and gas, and telecoms. I think that those industries less accustomed to regulation, such as media and manufacturing, are less likely to have established processes to deal with regulation. Of course, that’s a very generalised view.
Size is another factor. Bigger companies will have more resources, so they’re likely to adapt to GDPR more easily. We’ve also found, broadly, that the further north and west you go in Europe, the more compliant companies you’ll find. Conversely, the more south and east you travel in Europe, the less likely you are to find compliance. This appears to be based on cultural attitudes around personal data and privacy in some cases, and attitudes towards rules and regulations in others.
CMO.com: You mentioned in a recent blog that you felt some companies saw GDPR as a “crash diet.” How should they go about implementing healthy practices on a long-term basis?
Brown: There are three streams of work that must be done, the first of which I would call “basic data and information governance.” Companies need to ask themselves: What data they have, why they have it, how long should they have it for, what consent is attached to it, and where does it sit–data centre or cloud? Some companies still don’t properly know the answers to those rather elementary questions.
The next stage is looking at the specific, new requirements introduced by GDPR. Even if you were compliant with the EU Data Protection Directive, there are some new things that GDPR introduces: The right to access or change data, the right to be forgotten, and the right to data portability are all new.
The final part of the puzzle is to review and refresh your security posture. Are you using appropriate organisational and technical measures to provide security? That isn’t always easy to tell because there’s a rather tricky phrase used to describe security requirements in the regulations: “with regard to the state of the art.” We found that “state of the art” translates differently in various EU languages.
Our research found that in Denmark, for example, state of the art refers to what everyone else is using, whereas in Germany it means using the latest technology available. In the UK it means the latest reliable technology available–not mass adopted, but not bleeding edge either. It’s these nuances that are open to scrutiny.
CMO.com: Among UK consumers, at least, awareness of GDPR seemed to be pretty low. How would you gauge consumer awareness now?
Brown: I think consumer knowledge is still very low, but I don’t think user awareness was the primary goal for the legislation. It was all about getting companies to treat personal data differently and with a greater sense of value.
The second wave will happen when consumers start to realise how much more control they have over their data than they previously did.