Joshua Shirley

Information Privacy Law

Professor Ira Rubinstein

March 7, 2017

Privacy Blog Post – GDPR Compliance with Risk Management

Despite the General Data Privacy Regulation having the force of law, Gartner has issued two different predictions that less than 50% of organizations covered by the law will be in compliance by the 25 May 2018 deadline. A recent Dell survey also found that only 3% of those covered had finalized a strategy to be compliant while 37% had started such a strategy. Ergo 60% – a majority of entities covered by the regulation – currently have no plan to be compliant. By all accounts, being compliant with the new GDPR obligations will require adjustments from the majority of covered entities that are so extensive, the groundwork for compliance ought to be underway, so industry’s sluggish reaction is raising some eyebrows.

However, at least some experts remain convinced that the GDPR is already changing and will continue to influence industry behavior. Speaking at an International Association of Movers (IAM) conference in London last week, Gartner research director Bart Willemsen highlighted several features of the GDPR that in his opinion will carry the greatest weight for covered entities.

Willemsen stressed the GDPR’s emphasis on a data life cycle, and its new rules and regulations governing the end of that life cycle, the currently problematic part of the status quo for EU citizens. Specifically, he highlighted the maximum penalty: the higher of 20 million Euros or 4% of annual turnover for the most serious infringements, or half that for less serious infringements. He also highlighted that individuals now may bring class actions, and breaches such as the Yahoo breach of 2016 would cost 860,000 dollars per occurrence.

He also highlighted the strengthened and expanded rights of access, correction, portability and erasure. All in all, despite the current inaction suggesting non-compliance, he remained optimistic Industry would follow the GDPR. “This is a regulation, it is a law, and I am not telling you to break a law” he said. I drive a motorbike and don’t willfully break the speed limit, that’s breaking law. GDPR is law but I have faith in you.”

https://www.infosecurity-magazine.com/news/gdpr-compliance-risk-management/