Compliance with Europe’s new data privacy rules is lagging, mainly because figuring out what data third-party contractors hold is proving to be a challenge for companies.
About a month after the EU’s General Data Protection Regulation (GDPR) took effect 25 May, only 34.5% of businesses affected by the GDPR felt they could defensibly demonstrate compliance, a Deloitte survey found.
Another 32.7% of respondents expected to become compliant by the end of the year. The remaining 11.7% said their companies were waiting with compliance efforts to see how EU regulators in various countries enforce the new rules.
The survey, conducted 22 June, involved about 500 professionals from at least seven countries who were involved in their companies’ GDPR compliance efforts.
GDPR compliance is a massive undertaking, said Rich Vestuto, a Deloitte Risk and Financial Advisory managing director. “Nobody wanted to be the vanguard, so many were stalling and watching what their peers were doing.”
Drilling into the data of third-party contractors is a particular challenge, survey results suggest. Just 13.6% of respondents said they know what data their third-party vendors have and are leveraging artificial intelligence tools to create, manage, and analyse contracts they have with the vendors.
The majority (56%) have started to identify data held by third parties but have yet to begin contract management. About 10% haven’t started on either.
GDPR, which was officially approved in 2016 after years of discussion, gives EU residents far-reaching abilities to inquire about and control how corporations collect, protect, and use their personal information. The rules stretch far beyond the 28 EU member nations and may apply when data of non-EU citizens is processed or goods and services are offered to EU citizens but no payment is received.
Companies with European vendors, employees, or even a single customer will need to comply with the regulation that allows citizens to inquire about the data collected on them, opt out of any ongoing marketing, and be able to have the information deleted upon their request.
That enforcement has a punitive risk, too, with regulators able to levy fines of up to 4% of a company’s annual turnover or €20 million ($22.6 million), whichever is greater.
Nearly half (48.2%) of the respondents in the Deloitte survey said their GDPR compliance programmes are scalable, meaning they could address similar data privacy rules about to take effect or in the making.
California’s Consumer Privacy Act takes effect 1 January 2020 and is at least as strict as GDPR, Vestuto said. Within the US, New York is one of several states expected to follow suit. Outside of the US, Canada, Australia, and New Zealand are expected to upgrade their privacy rules.
Companies trying to catch up and become compliant with GDPR can seek help from experts, if they’re not sure they can figure out the details on their own. With or without help, Vestuto said, the four basic steps to compliance are:
1. Know what data you have and where they are. With database and business software constantly duplicated and downloaded to employees’ hard drives, uploaded in the cloud, or handed off to third-party vendors, an individual’s data could show up in hundreds, even thousands, of places.
2. Know what data your third-party contractors have. The way that third-party vendors and service providers that process individuals’ data also fall under the GDPR rules, and a company could be held responsible for relaxed approaches elsewhere.
This could apply to information shipped off to law firms for litigation purposes or shared with systems architects hired to restructure websites. Until regulators and courts interpret the rules, it’s unclear how deep companies should dig into the supply chain, Vestuto said.
3. Update, renew, and manage contracts with third-party contractors.
4. Make sure the company’s legal department is involved.
— Sabine Vollmer (Sabine.Vollmer@aicpa-cima.com) is an FM magazine senior editor.