This post originally appeared on the Red Clover Advisors Blog.
The privacy world is recognizing a big birthday this year.
Europe’s General Data Protection Regulation (GDPR) officially hit its year-one milestone on May 25, 2019.
But you probably won’t be celebrating.
That’s because most companies still have a lot of work left to do when it comes to full compliance. And if you’re one of those companies, you probably don’t even know it.
Truth is, GDPR compliance isn’t a one-and-done activity. A common misconception is once the 2018 deadline hit, companies could wash their hands of the mandate.
The GDPR is an active exercise, an ongoing execution of privacy best practices.
And when 71% of marketers believe lack of compliance could have a detrimental impact on their companies’ ability to conduct business, the implications are something to take seriously.
A MISTAKEN PERSPECTIVE
You may remember the onslaught of companies – perhaps your own included – rushing to get GDPR compliant processes in place before the deadline.
It was a chaotic time of window-dressing websites and creating cookie updates.
And it was followed by an eerie silence of privacy inaction.
There was a check-the-box mentality only fostered by the fact governing boards took seemingly no immediate action against non-compliant organizations.
Large companies who had doled out copious amounts of money for the update thought they were sitting pretty. Small companies who struggled to implement every iota of the regulation thought they were home free.
Somehow the reality of GDPR non-compliance fell off the radar: The consequences are severe.
From large corporations to small startups, regulators didn’t discriminate against the companies they held accountable for following the rule. Google paid $57 million for not properly disclosing data collection practices. CNIL hand slapped startup Teemo in October 2018 for not asking for consent when gathering geolocation data. And over 18 investigations are underway for big tech companies, including a potential $1.6 billion fine for Facebook.
This means the GDPR birthday should renew a sense of urgency for companies to improve existing compliance processes from 2018, or to finish implementing GDPR if they haven’t already.
Unlike other regulations, privacy laws are not a one-time or even once-a-year activity.
They have to be reviewed constantly – we suggest at least quarterly – and updated on an ongoing basis.
Year two of the GDPR regulation is the perfect time to execute this culture of privacy normalcy.
THE PRIVACY SHAKE UP
The GDPR of 2018 was only the beginning for privacy regulations.
Most experts are calling for the United States and Canada to pass down similar mandates in the next 5-10 years. The California Consumer Privacy Act (CCPA) is one state’s response to this outcry and will probably be followed soon by like-minded laws from other state governments.
Because of this long-term perspective, it’s important for companies to understand that the first year of the GDPR implementation only covered the fundamentals of privacy rights.
During 2019, regulators will articulate even more clearly their expectations.
They’ll detail what’s most important to have in place based on the next round of fines they intend to levy. And they may even addend the regulation to include research brought to light over the past 12 months.
This should underscore the fact companies shouldn’t wait to get their houses in order when it comes to privacy updates.
Privacy will eventually hold the same weight in an organization as the finance, HR, and legal departments.
Business executives and owners should view year two as an opportunity to overhaul their companies’ privacy processes, ensuring they take the front seat.
After all, the GDPR highlights the need for a sustainable process to review all existing vendors on a regular basis and vet all new processors against privacy, security, and requirements.
Data inventories are becoming commonplace.
Unfortunately, security and data breaches are, too.
The GDPR and future privacy laws aren’t just enforcing these rules as a show of power. Rather, they’re supporting company-consumer relationships for what is fast becoming a way of life.
NEXT STEPS FOR COMPLIANCE
61% of businesses from a Deloitte survey said they believe the GDPR has benefits beyond just implementation. Of those, 21% expect significant benefits, including competitive advantage, improved reputation, and business enablement.
These privacy officers get it.
Privacy regulations like the GDPR are an opportunity to build strong relationships with customers based on trust.
Trust is the building block of any successful, long-term relationship.
And when long-term relationships will get you more money consistently – it’s six times more expensive to win a new customer than retain an existing one – the GDPR starts to make a lot of sense.
B2B consumers are looking for compliant companies who care about their privacy. In fact, some customers will abandon companies who ignore privacy best practices.
B2C consumers are especially savvy when it comes to this. These people are especially tuned in to privacy no-nos such as emails sent without permission and missing website opt-ins.
It’s true: Being GDPR ready gives your company a competitive advantage.
If you didn’t start in 2018, you need to start now. If you implemented last year, you need to update and improve.
This will involve scrutinizing critical parts of the GDPR requirements such as those listed below. Adding these might be enough:
- Data inventories
- Vendor management
- Privacy notices, cookie consent, and marketing activities
- Security and data breaches
Companies aren’t just responsible for creating repeatable privacy processes for these four areas.
Training your team is critical to a successful privacy program. We’re talking every employee, not just your direct reports. Annual security meetings or courses don’t cut it anymore. Instead, implement company-wide communications, monthly tips, quarterly updates, in-person or online events, and contests.
Doing this ensures privacy is a shared team goal and something in which each person is significantly invested. Privacy compliance will simply become a regular part of doing business.
And your team won’t be surprised or unprepared for the next international, national or statewide privacy law.
Conclusion: The GDPR Compliance Challenge
There’s no doubt there are moving parts that require constant fine-tuning when it comes to GDPR and other privacy standards.
It’s crucial for a capable professional to manage these changes.
Yet this highlights one of the main challenges companies face when it comes to privacy law compliance: 43% bemoan lack of expert staff and 31% admit they have a limited understanding of GDPR regulations.
While these challenges are overwhelming, they’re not impossible to solve.
And with GDPR compliance something you can’t afford to ignore, you have no choice but to find a way to overcome them.
The first step is education.
There are a litany of reliable resources online to help you understand the privacy law. You can check out our free GDPR Resource Library to get started.
The next step is assigning a point person.
If you don’t have a CISO or an appropriate person on your team to step into the role, it may be time to hire an outside resource. Even if you’re in the CISO role and feel over your head when it comes to GDPR planning and implementation, bringing in a third-party is a good idea.
With more than 20 years of experience, our team of privacy experts can step in to assess the situation. We’ll act as an extension of your team to create a game plan for tackling the GDPR. We can even serve as a fractional Privacy Officer to help over a longer period of time.
Whatever personnel direction you go in, it’s important you start now. Year two of GDPR is not a time to rest on your laurels.
Register now for our upcoming webinar, GDPR: First Year in Review and Sneak Peak to the Year Ahead, on June 20, 2019, at 12 PM EDT.