GDPR after the Deadline: The Emerging Challenges Tied to Information Privacy and Security
The GDPR’s May 25, 2018 deadline resulted in a mad compliance and security scramble, not only for European companies but also for any company doing business in Europe or with European customers.
We just published a new market research report on GDPR. The purpose of this survey of 262 executives was to quantify – as close to the May 25th deadline as possible – the following three key issues related to GDPR:
- How do organizations view the emerging challenges tied to information privacy and security, and who have they charged with this task?
- At the deadline, where are organizations in their GDPR journey, and how much did they spend to get there? How do they assess their progress in meeting the core requirements of GDPR?
- What kinds of special pain points do unstructured information (i.e., content) raise in GDPR compliance efforts, and which core IIM technologies do organizations see as critical to their efforts?
The scope of GDPR includes more rigorous consent requirements, data anonymization, the right to be forgotten, and breach notification requirements. Violations could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year – whichever is the greater – being levied by data watchdogs. For other breaches, the authorities could impose fines on companies of up to €10m or 2% of global annual turnover – whichever is greater. For the average Fortune 500 company, that puts fines in the range of $800-900M.
But the impact of GDPR really goes beyond the immediate need to be compliant. The GDPR reflects an emerging consensus that the rules and practices and technologies used to manage the security and privacy of personal information need to evolve to reflect the explosive growth of this information and the increasing sophistication of the tools to manage it.
Information privacy is still an afterthought for most organizations. Only 36% of organizations have a dedicated privacy function – a key factor in determining accountability. The other 64% either lodge responsibility in another function or have no privacy function to speak of.
For nearly 40% of organizations, the primary reason to focus on GDPR is that they have to- it’s a legal obligation. Missing from this fairly practical calculus is the fact that a strategic and focused approach to information management and information governance is not just good hygiene – it sets the stage for machine learning and artificial intelligence.
There are a variety of accountability models for GDPR, with no clear winner: IT is responsible in 27% of organizations, followed by LOB (finance and operations, 19%), RM/Information Governance (15%), Legal (15%), and Compliance (13%). For AIIM audiences, the relatively low percentage of organizations that place GDPR responsibility with RM/IG perhaps reflects a long-term shift for this function in the direction of IT.
Fear of additional regulatory scrutiny – somewhat akin to the fear that an IRS audit frequently leads to additional audits – is the primary worry for 32% of organizations should they suffer a compliance lapse.
About John Mancini
John Mancini is the President of Content Results, LLC and the Past President of AIIM. He is a well-known author, speaker, and advisor on information management, digital transformation and intelligent automation. John is a frequent keynote speaker and author of more than 30 eBooks on a variety of topics. He can be found on Twitter, LinkedIn and Facebook as jmancini77. Recent keynote topics include: The Stairway to Digital Transformation Navigating Disruptive Waters — 4 Things You Need to Know to Build Your Digital Transformation Strategy Getting Ahead of the Digital Transformation Curve Viewing Information Management Through a New Lens Digital Disruption: 6 Strategies to Avoid Being “Blockbustered” Specialties: Keynote speaker and writer on AI, RPA, intelligent Information Management, Intelligent Automation and Digital Transformation. Consensus-building with Boards to create strategic focus, action, and accountability. Extensive public speaking and public relations work Conversant and experienced in major technology issues and trends. Expert on inbound and content marketing, particularly in an association environment and on the Hubspot platform. John is a Phi Beta Kappa graduate of the College of William and Mary, and holds an M.A. in Public Policy from the Woodrow Wilson School at Princeton University.