No one’s ready for GDPR

The General Data Protection Regulation (GDPR) will go into effect on May 25th, and no one is ready — not the companies and not even the regulators. After four years of deliberation, the GDPR was officially adopted by the European Union in 2016. The regulation gave companies a two-year runway to get compliant, which is theoretically plenty of time to get shipshape. The reality is messier. Like term papers and tax returns, there are people who get it done early, and then there’s the rest of us. “Very few companies are going to be 100 percent compliant on May 25th,” says Jason Straight, an attorney and chief privacy officer at United Lex, a company that sets up GDPR compliance programs for businesses. “Companies, especially US companies, are definitely scrambling here in the last month to get themselves ready.” In a survey of over 1,000 companies conducted by the Ponemon Institute in April, half of the companies said they won’t be compliant by the deadline. When broken down by industry, 60 percent of tech companies said they weren’t ready. 

GDPR is an ambitious set of rules spanning from requirements to notify regulators about data breaches (within 72 hours, no less) to transparency for users about what data is being collected and why. “For many years it’s been, ‘How much data can we trick people into giving us?’ and ‘We’ll figure out how to use it later!’ That is not going to be an acceptable way to operate anymore under GDPR,” says Straight. “There are some companies we’ve talked to, where they say, ‘Are you kidding? If we told them how we were using their data, they’d never give it to us in the first place,’” Straight says. “I’m kind of like, ‘Yeah, that’s sort of the point.’”