The General Data Protection Regulation (GDPR) was generally seen as a good thing when EU regulators came up with it in 2016. Consumer advocacy groups and online security experts lauded it as well. Some four years on, the legislation appears to be achieving its goals. But it is still causing headaches for companies.
Anyone who thinks the GDPR is a simple piece of legislation with provisions that are easily implemented has never actually looked at it in depth. It is so complicated that an entirely new industry of GDPR compliance consultants has risen in the last couple of years.
So why is the GDPR so difficult? It is not just one reason. There are a whole host of things working together to create a perfect storm for those companies still struggling to comply.
Not Just EU Legislation
Right off the top, the GDPR does not just apply only to EU-based businesses despite the fact that the law was only implemented by the EU. It applies to all businesses with either customers or employees inside EU borders. For all intents and purposes, this makes the law nearly global in its reach.
Imagine being a small business owner running an e-commerce operation out of New Zealand. If you sell anywhere within the EU, you have to fully comply with all the provisions of the GDPR – even if you are running a one-person operation.
It is within the realm of possibility that some smaller companies outside of the EU simply stopped doing business in Europe rather than trying to comply. Abandoning the EU market is certainly one way to get around the GDPR. But it also means lost sales and revenue.
Confusing Enforcement Efforts
The GDPR’s primary enforcement mechanism is a financial penalty. Companies found out of compliance can face significant penalties assessed as either flat fines or escalating fines assessed per violation. Yet enforcement methods create confusion.
For example, how does the EU assess penalties against a company located on foreign soil who merely sells in the EU? If that company has no employees or physical offices in Europe, there are little EU regulators can do to force business owners to pay up. Thus, businesses inside the EU are unintentionally held to a higher standard than those outside.
Enforcement across international borders also touches on the idea of sovereignty. EU regulators are none too happy whenever the US tries to flex its data security muscles outside of its own borders – and rightfully so by the way. But the EU has effectively done the same thing with the GDPR.
Reporting Data Breaches
When data breaches do occur, companies are compelled by the GDPR to report such breaches within 72 hours of being uncovered. Yet reporting is not as simple as picking up the phone and making a call. EU bureaucracy makes reporting within the 72-hour limit challenging even on good days.
Making matters worse is the fact that interacting with government agencies almost always involves multiple phone calls, emails, and forms to fill out. The amount of paperwork alone acts as a disincentive to report data breaches – especially when companies think they have a legitimate chance of getting away with not reporting.
The Data Protection Officer
A little-known provision of the GDPR forces most corporations who do business in the EU to hire a data protection officer. That is all well and good, but hiring and practical implementation are two different things. This is uncharted territory for corporations. They are expected to hire someone with GDPR expertise when there isn’t much expertise to go around.
This explains, in part, why GDPR consultancies are popping up across the EU. There are entire companies whose sole mission is to offer expert advice in data security and GDPR compliance. Companies would rather use such consultants than hire a data protection officer who may or may not know how to maintain compliance.
Confusion Among Consumers
If the business side of compliance is not problematic enough, companies are finding that their customers are equally confused. IT teams and customer service reps are finding themselves spending more time with customers trying to help them understand their rights and responsibilities. They are being asked questions that they do not have the answers to.
Customers who expect one thing only to experience something else are apt to take their frustrations out on the companies they are dealing with. Rather than understanding that the GDPR is confusing and complex for everyone, they simply expect companies to know exactly what they are doing. It is not that easy.
Few would doubt that the bureaucrats who came up with the GDPR did so with good intentions. Few would argue against protecting customer data against misuse and abuse. Yet the GDPR seems to fall short as a piece of legislation that is highly complicated and difficult to implement in all of its provisions. As such, the GDPR continues causing headaches some four years after it was developed and two years after its implementation.