• by Ray Schultz , Columnist, April 26, 2018

Has anyone calculated the potential financial impact of the General Data Protection Regulation? With high percentages of companies saying they are unprepared, we could be headed for a global meltdown, given the penalties for non-compliance.

That’s assuming the EU bureaucracy will take an activist stance -- and that’s not clear. But most firms fear that it will.

A new poll by the Cloud Security Alliance, commissioned by Netskope, shows that 89% are concerned about the impact of the regulation, 30% are very concerned, and 30% are somewhat concerned. Only 11% are not at all concerned.

However, only 15% have adjusted their budgets to deal with potential GDPR penalties, and 47% have not. Another 38% are unsure. 

On average, proactive firms have set aside $4,260,618 to cover GDPR penalties.

Does that mean every data firm and email marketer expects to have to pay out?  Probably not. This poll shows that 32% are very confident they will be able to comply by May 25. And 38% are somewhat confident.

At the same time, 17% are very prepared for GDPR, and 55% are somewhat prepared. Only 9% are not at all ready

The most challenging GDPR measure is the right to erasure — 53% are worried about it. In contrast, only 30% are concerned about notification of a personal data breach to supervisory authority.

The right to erasure means that companies have to delete personal data on request. And GDPR also mandates that unused data be removed.

But that issue has led to a flap in the UK — the Windrush scandal, in which “the UK government apparently destroyed the landing records for thousands of citizens from Caribbean nations who arrived in Britain after the Second World War,” Dave Cartwright writes in The Register.

This erasure is line with the 1998 Data Protection Act, the rules of the Information Commissioner’s Office (ICO) and the pending GDPR. But it shows that compliance could create problems. What is the cutoff date?

Cartwright notes that “the ICO would be hard-pressed to complain if you chose, say, 75 years, because you could claim it might be needed by someone claiming British citizenship through their parent or grandparent.”

Right — some could falsely claim citizenship, or be denied it because there are no records. We can see that happening in the United States.

There are old-timers who got away with faking their academic records because the schools burned down. We could be headed for the digital version of that.

But back to the financial impact. Over half of the firms polled are altering their plans in response to GDPR. And almost a third are making minor changes. The shifts are in these areas:

• Provider agreements —6 8%
• Technology purchases — 53%
• Use of cloud services — 41%
• Product development — 37%
• Budget — 37%

Which mechanisms are they employing to comply with GDPR?

• Model clauses — 46%
• Binding corporate rules — 59%
• Procuring new technology or services specifically for GDPR — 42%

The results are based on 200 responses, with 56% of them from the Americas.