The IAPP estimates that organizations have spent, on average, $1.3 million to date on compliance measures.
Still More Work to be Done
“We expect 50 percent of covered companies are still in the process of GDPR compliance and it will likely go on for another couple of years,” said Mark Schreiber, a partner in the Boston office of international law firm McDermott, Will & Emery, who heads the firm’s global privacy and cybersecurity practice. He spoke at a recent IAPP educational meeting.
Coordinating GDPR compliance across decentralized organizations and the appointment of representatives within the EU are focus areas for many companies, according to Schreiber. He also said companies must determine the proper role of data protection officers as they fine-tune their compliance efforts.
The IAPP anticipates it will cost each organization an additional $1.8 million, on average, to be fully compliant with GDPR rules.
In addition, PwC’s Dusaud said that a number of GDPR-affected companies didn’t launch privacy initiatives due to a lack of budget or because their business type or size guarantees them a low risk of exposure and penalties.
“Therefore, we see that the wave of GDPR is still rolling,” he said. “Remaining compliant over the long term will be the biggest challenge encountered by all companies.”
The Global Privacy Ball is Rolling
GDPR has also ignited a flurry of privacy activity in other countries. There is work afoot both at the federal and state levels in the U.S. to establish stronger privacy policies. The California Consumer Privacy Act of 2018 was ratified in June 2018, and the Washington Privacy Act bill was introduced in January 2019. Colorado has a new privacy law that mandates destroying customer data when it’s no longer needed for a business purpose.
In fact, in a 2018 IAPP survey of 550 members, 76 percent of firms reported that GDPR has motivated them to delete data when it’s no longer required for business reasons, while another 21 percent said they intend to adopt such practices soon.
At the U.S. federal level, the Social Media Privacy and Consumer Rights Act of 2018 continues to be evaluated. In February, expert witnesses testified in a Congressional hearing on data privacy that on its own, the proposed legislation — which mandates that a consumer be notified of a breach of their personal information within 72 hours — doesn’t go far enough.
The panel was divided as to whether federal privacy legislation should preempt state laws. On the one hand, some argued that having 50 separate state laws in an integrated national and global economy would be too complex and costly to administer. Others pointed out that federal legislation tends to be rigid and difficult to change in step with a digital economy that continues to swiftly evolve.
As the U.S. contemplates its next steps on privacy legislation, other countries are jumping on the privacy bandwagon. Brazil approved a new data protection law, Brazil Lei Geral de Proteção de Dados (LGPD), which is heavily based on GDPR. China, India, Japan, South Korea and Thailand are among other nations that have passed new laws, proposed new legislation or are considering changes to existing laws to closer align with GDPR.