A blog post by Natalie Drainville, Junior Associate.
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. It applies to the processing of data of all citizens in the European Union (EU). The GDPR was passed by the European Parliament in 2016 and officially went into full effect on May 25, 2018. The law imposes obligations onto organizations anywhere, so long as they target or collect data related to the people in the EU. It binds organizations to strict new rules about securing and using personal data, with the goal of giving individuals more control over how their data is used, collected, and protected online.
If you process the personal data of any EU citizens or residents, or offer goods or services to them, then the GDPR applies to you even if you aren’t located in the EU. Article 3.2 of the law states that it applies to organizations that are not in the EU if two conditions are met: the organization offers goods or services to people in the EU, or, the organization monitors their online behavior. Under the rules of the GDPR, visitors must be notified of data the site collects from them and explicitly consent to the information-gathering by clicking on an “Agree” button or other action. Sites must also notify visitors in a timely manner if any of their personal data that’s held by the site has been breached. It also mandates an assessment of the site’s data security, and whether a dedicated data protection officer (DPO) has been hired or appointed by the organization. Information on how to contact this DPO as well as other relevant staff members must be accessible so that visitors may exercise their EU data rights, which also includes the ability to have their presence on the site erased.
Despite the GDPR going into effect over three years ago, many corporations are lagging behind when it comes to complying with its regulations. In recent studies, a quarter of the companies asked, reported that they had a low degree of confidence in their readiness and ability to respond to a GDPR data breach, and only 18 percent of respondents said they had a high degree of confidence in their ability to communicate a data breach to the correct EU regulators within 72 hours of becoming aware of it. Over half of the companies interviewed for the study, 54 percent, said GDPR implementation took longer than it expected, and nearly half, 45 percent, said they had an average of two reportable data breaches since the GDPR came into effect. In the United States, this number was even higher, where respondents said their organization had an average of 2.49 breaches post GDPR.
Many businesses continue to work on IT solutions for GDPR projects, many of which use manual processes and temporary controls to ensure compliance. These measures though, do not add up to a sustainable approach, especially given the regulatory requirements for the state-of-the-art-data-protection technology, the increase in requests for access to personal records over time, and the growing challenge of keeping personal data secure. The data management aspect of GDPR compliance has also presented issues for companies. Only 25 perfect of companies surveyed by a 2019 Mckinsey and Company report said that they could meet the requirement to report any data breach to regulators no later than 72 hours after management becomes aware of it. For large, decentralized organizations, reporting quickly and appropriately can be difficult and companies will experience a share rise in mandatory interactions with regulators.
The challenges that companies have faced since May 2018 are not confined to data and IT, and businesses must also ensure that the processes designed during the preparations for the GDPR actually work and produce the expected results. Unfortunately, the many companies that began their implementations late have not had sufficient time to pressure test new processes, and adding to the complexity is the continuing uncertainty about the number and types of requests and breaches that may occur under the GDPR. Companies will most likely continue to improve their GDPR compliance in the coming years and will need to develop new solutions to deal with these complications in order to do so.
 Ben Wolford, Does the GDPR apply to companies outside of the EU?, gdrp.edu, https://gdpr.eu/companies-outside-of-europe (last visited Feb. 14, 2022).
 Wolford, supra note 1.
 Wolford, supra note 5.
 Jake Frankenfield, General Data Protection Regulation (GDPR), Investopedia.com, https://www.investopedia.com/terms/g/general-data-protection-regulation-gdpr.asp (Nov. 11, 2020).
 Chris Brook, Per Survey, GDPR Compliance Still Lagging, digitalguardian.com, https://digitalguardian.com/blog/survey-gdpr-compliance-still-lagging (Nov. 26, 2019).
 Daniel Mikkelsen, GDPR compliance since May 2018: A continuing challenge, mckinsey&company, https://www.mckinsey.com/business-functions/risk-and-resilience/our-insights/gdpr-compliance-after-may-2018-a-continuing-challenge, (July 22, 2019).