Skip to content
Thomson Reuters
Compliance Learning

Top five concerns with GDPR compliance

Tiffany Robertson

05 Mar 2018

A disorted monitor screen

On May 25, 2018, the European Union’s (EU) Data Protection Regulation (GDPR) will require businesses around the world transacting business within the EU to protect the personal data and privacy of EU citizens.

Adopted in 2016, businesses now have less than three months until they must be prepared to comply with the strict new rules.

Many have found it challenging to implement the necessary systems and processes to manage the immense amounts of data collected, track it from creation to destruction, and manage the storage of such data according to specific criteria in between.

Find out how Thomson Reuters Compliance Learning courses can help support your organization with compliance training

The third biennial Ernst & Young 2018 Global Forensic Data Analytics Survey asked several questions with respect to readiness for the GDPR.

Respondents indicated only 33 percent have an established plan for GDPR compliance, with another 39 percent signifying they are unfamiliar with the GDPR.

While Europeans naturally are more aware and prepared — with 60 percent having a GDPR compliance plan in place — other regions have more work to do: Africa and the Middle East (27 percent), the Americas (13 percent) and Asia-Pacific (12 percent).

Despite this lack of preparedness, however, respondents rank data protection and privacy risks as a top concern as they watch their overall risk profiles continue to expand.

People walking in a park. Photography: Reuters/Tobias Schwarz (GERMANY)
Photography: Reuters/Tobias Schwarz (GERMANY)

Outlined below are five key reasons organizations are so worried about GDPR compliance.

1. New requirements

The GDPR focuses on accountability, transparency and governance to minimize the risk of breaches and uphold personal data protection by imposing new responsibilities on organizations.

Not only must organizations carry out such charges, but they must adopt, test and maintain, and be prepared to demonstrate such compliance to regulators.

2. Specific processes

Many of these new requirements are specific processes organizations must adopt, with the intent that such measures will help structure and formalize certain areas to make compliance more efficient.

The GDPR imposes concrete measures, such as:

  • The obligation to keep internal records of data protection activities;
  • The requirement to notify regulators of data breaches without undue delay (organizations must report breaches to supervisory authorities within 72 hours) and document the underlying facts, effects and remedial action taken; and
  • Appointing an official Data Protection Officer (required for some organizations).

Some people examine a document

3. Hefty fines and sanctions

Regulators are authorized to handle non-compliance with the GDPR in one of three ways:

  1. Issue a warning or impose a temporary or definitive ban on processing personal data;
  2. Impose a fine up to EUR 20 million or 4 percent of the total worldwide turnover, depending on the circumstances of each individual case; or
  3. Both of the above.

With these provisions, the GDPR hopes to make the cost of compliance less than the cost of violations.

A view of the Thomson Reuters GDPR online training course
A view of the Thomson Reuters GDPR online training course

4. Vague requirements

The lingering uncertainty around the GDPR is one of the biggest impediments to compliance, with parts of it deliberately left vague.

Undefined terms such as “undue delay,” “likelihood of (high) risk to rights and freedoms” and “disproportionate effort” will require further clarity by the courts or regulators, or time for specific market practices to develop.

Similarly, the regulation offers no definition of what constitutes a “reasonable” level of protection for personal data, offering regulators significant flexibility in assessing fines for data breaches and non-compliance.

5. Extraterritorial reach

Similarly, the GDPR’s definition of what personal identification information has a broad scope, requiring a high level of protection for a wide range of information. It also has an extensive reach, with many firms — particularly in the U.S. — not even aware they will be subject to the new EU regulations.

The primary principle behind the GDPR is that it views personal data as the property of the individual, not data controllers or processors. It applies to all EU citizens wherever they may be situated and regardless of the organization’s location.

Consequently, in today’s digital and global world, it’s almost impossible to avoid dealing with some form of personal data from the European market.

Find out how Thomson Reuters Compliance Learning can support your business with its GDPR compliance obligations

A further view of the Thomson Reuters GDPR online training course
A further view of the Thomson Reuters GDPR online training course

GDPR compliance a facet of today’s business environment

GDPR compliance can be complex, as well as costly and disruptive as organizations invest the time and resources needed to update systems and processes to the security level the regulations require.

However, data protection is now an essential consideration for an effective regulatory compliance framework, particularly for those within the GDPR’s extensive reach.

At a minimum, organizations should find themselves investing more in overall data security resources, such as additional staff or upgraded technology.

Although there will be an adjustment period after the GDPR goes into effect, EU regulators indicate they plan on actively enforcing GDPR compliance.

Thus, avoiding substantial fines and sanctions requires that organizations be prepared to offer evidence of data protection processes and accountability, as well as transparency with the regulators.

Thomson Reuters Compliance Learning online GDPR training course offers organizations a quick and effective way to ensure their employees understand the GDPR’s new and wide-reaching requirements.

Thomson Reuters Compliance Learning

How natural language processing creates value in compliance Advancing compliance training in 2018 De-risking: Improving financial inclusion in MENA LEI delay helps firms but the pressure is still on Does your corporate culture inadvertently support discrimination and harassment? Parental Leave: Are You Up To Speed? California’s New Anti-Harassment Training Requirement (SB 396). Are You Ready? Growing global regulation enforcement calls for amplified anti-corruption training Compliance training in the wake of the Paradise Papers leak New York credit reporting agencies subject to new cyber security regulation