• by Ray Schultz , Columnist, March 28, 2018

Are you confused by the EU’s General Data Protection Regulation (GDPR)? If so, you’re not alone, judging by a study released this month by AvePoint.

Of 239 marketers surveyed last year, 26% considered their firms fully compliant with the GDPR’s core processing principles. But that is down from 30% in 2016, and similar falloffs were seen in compliance with international data transfers and working and contracting with processors.

This may be due to new requirements in these areas -- or it could be caused by sheer confusion.

“There’s not a lot of detail [in the regulation] as to what we [the companies] need to do,” said Paul Holland, information security lead at insurance firm Hiscox, speaking at, Cloud Expo Europe, according to Computer Weekly.

Holland added: “A lot of it is down to interpretation. I can see us having probably 10, maybe 15 years of mitigation going on as companies start to challenge the regulation in the courts when they are starting to look at being fined.

Here are the areas in which they desire more clarity, according to AvePoint:

• Legitimate interest — 47% 
• Breach notification — 44%
• PIA & risk — 44%
• Notice & consent — 40% 
• Privacy by design & pseudonymisation — 39%
• Seals, certificates & codes of conduct — 35%
• Internal records of processing — 34%
• Brexit — 32%
• DPO — 30%
• Individual rights — 29%
• Security — 28%

Granted, awareness may have gone up since last year, at least among lawyers and DPOS. (One point on which there seems to be no ambiguity is the implementation date). Still, those are significant numbers of people who clearly find some language in GDPR impenetrable.

“These are complex topics and ensuring their correct implementation is by no means a light task,” the study says. “Organisations will have to work hard to find and demonstrate best practices to ensure compliance with all aspects of the GDPR, including less straightforward aspects.”

Whatever their grasp of GDPR, chief executives are concerned about the impact of these provisions:

• Enhanced sanctions regime — 44% 
• Enhanced individual rights — 41%
• Stricter rules on consent and reuse of data — 39%
• Restrictions on profiling — 39%
• Data security breach reporting — 32%, down from 38%
• Additional processor obligations — 36%
• Changes to internal privacy compliance program — 36% 
• International data transfers — 35%

On another front, 38% fail to understand the full life cycle of the data they hold — i.e., how it is collected, used, stored, shared, archived and deleted.

On the positive side, 35% felt they have dealt with the initial impact of GDPR, vs. 21% in 2016. And the same percentage is adding resources to deal with the new law. But some of the compliance mechanisms seem primitive.

Take the required keeping of records of all data processing activities. Of those that have them (17% for all processing, 37% or some), half use a spreadsheet or Word document — hardly state-of-the-art. Only 24% utilize in-house automated systems, and 16% rely on email. Lawyers, get ready.

Of the firms surveyed by AvePoint, 55% are active in the U.S., 89% in Europe, 46% in the Asia-Pacific region, 35% in India and 36% in Latin America.