Only about 1/3 of businesses report full compliance with GDPR rules, study finds

Dive Brief:

Just over one-third, or 34.5%, of surveyed professionals working to ensure their organizations are fully compliant with the European Union's new General Data Protection Regulation (GDPR) rules report achieving compliance, according to a new study by Deloitte. By the end of 2018, 32.7% hope to be compliant and 11.7% are taking a "wait and see" approach, per the findings made available via a news release.
Among respondents, 13.6% expressed confidence that their organizations know what data third parties have and are using artificial intelligence or other technology to manage contracts for GDPR compliance. More than half, or 56%, haven't finished uncovering what data third parties have or the implications of GDPR on third-party contract management, while 10.2% haven't started addressing compliance.
Under GDPR, 30.6% expect discovery to be more difficult for their organizations, 18.6% expect legal discovery to become easier and 17.2% expect no change. When it comes to scalability, 48.2% said their data privacy programs were scalable to address similar rules in other areas, while 19.8% say their efforts are GDPR-focused and not scalable.

Dive Insight:

The new Deloitte survey helps illustrate the lingering confusion and sluggish adoption surrounding GDPR more than two months after the privacy rules actually took effect on May 25. Penalties for noncompliance with GDPR can be high — as much as 4% of a company's annual revenue — but the fact that a number of businesses are still taking a wait and see approach shows how the integration and enforcement of the regulations remains somewhat nebulous.

GDPR aims to push internet companies to receive informed consent before collecting any information on their users, including for ad targeting purposes. However, achieving compliance can be complicated, especially in a marketing ecosystem that includes brands, agencies, publishers, platforms, ad tech providers and more. This has frequently created tensions in both the lead-up to and rollout of GDPR as partners gauge who bears the brunt of responsibility in meeting compliance.

Last month, Google also created a stir by delaying participation in a consortium of ad tech companies around GDPR, which caused some members to fall out of compliance. Google said at the time that it would join the program this month, and had implemented a temporary solution in the meantime. However, critics said the measure was ineffective and that some ad clients still targeted ads to consumers who had not consented to them, which might incur penalties.

Deloitte notes that third-party contract management is one of the biggest hurdles for GDPR compliance as it requires organizations to ensure privacy protection by obtaining consent from users around data that is collected to deliver targeted ads. That means organizations need to be able to identify vendors and the data that they hold. Keeping contracts updated or renegotiating agreements could help with compliance, but as the Deloitte findings suggest, few are confident in their systems to meet this requirement.

One area that organizations seem to be doing a decent job addressing is scalability. As data privacy continues to be a top concern for consumers, places beyond the EU are starting to impose rules that mirror those of GDPR, meaning companies need to prepare for greater scrutiny outside of Europe. The state legislature in California, for example, passed a privacy law in June that gives consumers the right to request data that business collect on them and ask businesses not to sell the data. It also imposes strict rules and potential fines on how businesses disclose data collection.