Only one-third of responding organizations are GDPR-compliant with EU data privacy rules
On June 22, 2018, a Deloitte Dbriefs webcast titled “EU General Data Protection Regulation: practical steps for compliance” polled more than 490 professionals involved in their organizations’ General Data Protection Regulation (GDPR) compliance efforts. One-third of respondents (32.7 percent) hope to be compliant within 2018. And, 11.7 percent plan to take a “wait and see” approach amid uncertainty over how EU regulators in various countries will enforce the new regulation. The poll results are clear – only 34.5 percent of respondents say their organizations can defensibly demonstrate compliance with the new data privacy rules today.
According toMonika Žlabienė, Technology and Data Service Line Leader at the Professional Partnership of Advocates Deloitte Legal, such survey results are not surprising.As the lawyer said, GDPR is a complex legal act, which puts a lot of new responsibilities on data controllers and processors, so it is not uncommon in this situation that preparation for this legislation takes a long time and raises a lot of questions. "Ensuring GDPR requirements is a continuous process, therefore, 100 percent compliance with GDPR is probably not worth talking about," commented Monika Žlabienė. No wonder that almost 12 percent of respondents are stretching to implement GDPR requirements and waiting for clarity on the practical application of the regulation in different European Union countries. Although GDPR is directly applicable in the Member States, however, the supervisory practices of each Member State vary, and some organizations expect to see a clearer practical application of GDPR before taking action on the implementation of GDPR. Nevertheless, lawyer Monika Žlabienė emphasized that violations of GDPR provisions could cause not only enormous penalties, but also damage the reputation of an organization, therefore, it is recommended not to delay and take action to fulfil GDPR's obligations.
Third-party contract management for GDPR compliance
The poll also showed that one of the biggest challenges for businesses in the area of data protection is the identification and control of individuals to whom organizations have disclosed their personal data. Only 13.6 percent of respondents are confident that their organizations know what data third parties have and are leveraging artificial intelligence (AI) and other technologies to analyze and manage third-party contracts for GDPR compliance. A majority (56 percent) aren’t done discerning what data third parties have or the potential implications of GDPR on third-party contract management. Some (10.2 percent) have yet to begin addressing third-party GDPR compliance at all.
Lawyer Monika Žlabienė stressed that lack of knowledge about data recipients was also tendentiously noticed when carrying out data protection audits of organizations. "By helping our clients prepare for GDPR requirements, we noticed that a frequent company does not know what data has been transferred to which business partners. Companies also cannot specify what actions their business partners carry out with the transmitted data, where they store and how long they keep it," said M. Žlabienė. As the lawyer commented, according to GDPR, data controllers become responsible for the compliance of involved data processors with GDPR; therefore, in implementing the requirements of the regulation, it is very important to identify the recipients of the data, to determine the scope of the data transmitted and the processing operations performed, as well as to ensure that business partners have been awarded appropriate and GDPR-compliant contracts that provide for effective business partner control mechanisms. As a result of failure to take these steps, data controllers will not be able to properly implement other obligations under GDPR. For example, if a person reasonably required to delete his/her personal data, the data controller should not only complete this request himself, but also notify all recipients of that personal data about such request. Only by knowing to whom and what data the organization has revealed, it could properly fulfil this obligation under GDPR.
Detailed poll results can be found here.
About Deloitte Legal
Deloitte Legal includes the legal practices of Deloitte Touche Tohmatsu Limited member firms or their affiliates that provide legal services. Deloitte Legal teams combine specific industry knowledge with broad legal experience to offer focused, client-centered service to national and multinational organizations. Deloitte Legal industry specialists strive to understand the unique needs of clients operating within the industries that they serve, focus on their business needs, and remain current on trends and developments. The global Deloitte Legal network comprises over 2000 legal professionals in 80 countries.