As I’ve mentioned a few times over the past couple of months, GDPR has spurred a number of states to come up with legislation for their own data privacy regulations.
However, I hope these state leaders continue to heed all the lessons from GDPR. It’s great that they are paying attention to citizens and consumers who want similar protections as given to EU residents, but they also need to take steps to make sure they can improve on GDPR’s failings.
One of those failings is that organizations are still lagging in following the regulation. Even though 98 percent of companies have updated their data privacy policies for GDPR, according to new research from Talend, a whopping 70 percent of global companies are failing to meet the data compliance requirements. Individuals who are requesting copies of their personal data aren’t getting that information within the 30-day period, which violates a GDPR mandate.
The financial industry seems to have the best grasp of following the data privacy regulations, but even they are succeeding only at a 50 percent rate, followed closely by the hospitality/travel industry. The worst industry is retail, which meets GDPR compliance only 24 percent of the time. Despite the number of breaches reported from the retail sector on an almost daily basis, you’d expect the industry to up its efforts to protect the privacy of their consumer information. In a formal statement about the research’s findings, Jean-Michel Franco, senior director of Data Governance Products at Talend, said:
So many businesses fall short of their GDPR obligations even though there is a near-universal adoption of GDPR claims in privacy policies. This suggests the issue is how businesses store and organize customer data and the resources they are devoting to answering GDPR requests, rather than a lack of GDPR awareness.
There is some good news from the report, such as of those companies that are meeting the 30-day deadline, the majority responded within 10 days, and the average response time is 21 days. So it is possible. And countries outside of the EU are doing better at responding than those in the EU.
GDPR is going to be an on-the-job learning experience for a while, I think, and it would behoove American companies and states to pay attention to how GDPR is shaking out. Why are so many companies slow to respond to requests about individuals’ data, and what can be done through state (or hopefully eventually federal) legislation to improve on that process? The research found that in these organizations, there is a lack of accountability, data visibility and accountability. Can these details be legislated into state privacy acts? And who will be overseeing the process to make sure organizations are in compliance?
Like so many things, GDPR sounds good in practice, but struggles to work in the real world. Will American data privacy laws work that way, too?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba