‘When the Dust Doesn’t Settle’ – GDPR Compliance One Year In

The European Union’s General Data Protection Regulation (GDPR) took effect on May 25, 2018. In the year since then, companies have had mixed success in fully implementing it. Organizations’ experiences with the GDPR have varied depending on their industrial sector, global presence, and maturity. The same can be said for the many consultancies and third parties that companies have enlisted to support their compliance efforts. Based on our own experience with providing such support to companies seeking compliance, we have concluded that both consultancies and companies fall into two camps: Those expecting to complete large-scale GDPR efforts on or about May 25, 2018, and those who have realized that this date marked the beginning of a much longer, and possibly transformational journey toward data privacy. Some of this gap is a product of the GDPR’s uniqueness as compared with systems-level security controls, which are the bread and butter of many consulting firms. In contrast with Service Organization Controls (SOCs), the GDPR makes a concerted effort to refrain from prescribing rigid steps toward achieving data privacy compliance. This challenge is compounded by the continued realization that data privacy and data driven products are matters that are deeply engrained in the ways that large-scale organizations operate and generate competitive advantage in today’s global economic climate. In this article, we identify and describe practices we have observed on a global scale and across industries as companies attempt to implement privacy requirements, address regulatory gaps, and navigate this new privacy landscape. We discuss technical, business, and process level constraints and opportunities for advancing the goal of embedding privacy into the product life cycle and provide examples for others to learn and build from.