In the year since it went into effect, the European Union's General Data Protection Regulation (GDPR) has heightened awareness of data privacy issues and driven some important changes in how US companies handle consumer data. However, most organizations appear to be a long way off from implementing GDPR's core requirement for a privacy-by-design model for data protection, security experts say.
"As we wrap the first year of GDPR, most businesses progressed on accountability," says Jean-Michel Franco, a GDPR and data privacy specialist at Talend.
Many organizations have set up or refreshed their legal framework for data privacy, improved defenses against data breaches, and begun managing user consent more rigorously.
"But significant gaps toward compliance are generally still to be addressed," Franco says. Chief among them is the challenge many organizations face in capturing and reconciling all the data they have about their customers and employees and implementing the rights to data access and other rights available to consumers under GDPR, he says.
A Sweeping MandateGDPR went into effect May 25, 2018. The statute is designed to ensure that organizations handling private data on EU residents take proper measures to protect that data against misuse. It provides for administrative penalties of up to 4% of an organization's annual revenue or up to 20 million euros ($22.4 million) for infringements.
The law requires covered entities to minimize data collection, get explicit permission for collecting data, and explain to consumers in unambiguous language why they are collecting the data, how they will use it, and with whom they might share it. Organizations have up to 72 hours, in most cases, to report a data breach ..