GDPR has nothing to do with GDP, although some portion of gross domestic product may be needed to reach GDPR compliance. Seriously, even U.S.-based communicators should at least have heard of GDPR, the European Union’s General Data Protection Regulation, which takes effect in Europe May 25. GDPR loomed over the 2 days of questions Mark Zuckerberg faced during hearings on Capitol Hill earlier in the month.
GDPR regulates how companies use consumers’ personal data. Brands operating in the EU will need to abide by GDPR and rigorously report and perhaps drastically reduce data they collect about consumers. They’ll also need to explain to consumers clearly how and why they collect their data. Additional privacy controls also are part of the package. For example, consumers must opt in before their data can be collected and used.
During Zuckerberg’s appearance April 10-11, several lawmakers mentioned the possibility of implementing a GDPR-type regime to regulate Facebook. He seems onboard.
“Overall I think regulations like this are very positive,” he said April 4. “We intend to make all the same controls available everywhere, not just in Europe.” In Europe, of course, Facebook has no choice but to comply with GDPR.
An April 17 Facebook post previewed the GDPR changes for Europe. It asked European users to agree to some GDPR terms.
With the issue of Facebook’s data security/Cambridge Analytica creating buzz in the U.S., PR News’ senior content manager Sophie Maerowitz writes “whether or not your brand collects or uses Facebook data, it’s probably a good idea” for communicators to know GDPR basics since it is they whom brands “will rely heavily on...to keep stakeholders, audiences and customers aware of how their data is being used” and, hopefully, protected. A good GDPR primer is the GDPR site at: www.eugdpr.org
The trouble is, global brands seem nonchalant about GDPR, a new survey of 531 data, cybersecurity and compliance professionals from Crowd Research Partners says.
Looking at chart A you see just 33% of respondents say their companies will be ready for May 25, with an additional 7% saying they’re now in compliance.
Chart B shows 37% expect to be ready in two months or fewer to be compliant. The rest, 63%, will need at least two months; 14% believe it will be years not months until they’re in compliance.
Perhaps one of the reasons the brands surveyed seem to lack an urgency about GDPR is they feel the regime’s rules will barely change their data procedures. Just 28% see “significant change” on the horizon, as Chart C illustrates.
The next charts seem alarming. Looking at threats to data, Chart D equates cybercrime (60%) with employees’ accidental loss of data (57%). Chart E might be the most worrisome. 42% of respondents say they have no formal process to notify data protection authorities in the event of a data breach. As you see, 15% have a plan, but avoid contacting authorities.
While 80% confirm GDPR is a top priority, only half say they are knowledgeable about it or have deep expertise; 25% say they have no or only very limited GDPR knowledge.
The primary compliance challenges: lack of expert staff (43%); tight budgets (40%); and a limited understanding of GDPR regulations (31%). 56% expect their organization’s data governance budget to increase to handle GDPR.