Privacy professionals will probably never be able to forget the lead up to the EU General Data Protection Regulation, no matter how hard they try. Plenty of studies showed companies were not ready for the May 25, 2018, implementation date, which led to speculation about what would happen when the European rules finally arrived.

One of those studies was conducted by McDermott Will & Emery and the Ponemon Institute. In their survey, released in April 2018, 40 percent of respondents said they would be GDPR compliant after May 25. Financial services, tech and energy companies were more confident they would be ready before the big day.

Now the first anniversary of the GDPR is only weeks away, privacy professionals and government officials, such as EU Commissioner for Justice, Consumers and Gender Equality Věra Jourová, have started their retrospective looks at the year that was. At an IAPP KnowledgeNet meeting in Boston, McDermott Will & Emery Co-Chair, Privacy and Security Mark Schreiber, CIPP/US, ran down some of the findings from its firm's study with Ponemon and offered some thoughts about how the first 10 months of the GDPR actually turned out.

Respondents cited the need to make comprehensive changes in business practices as the top barrier for GDPR compliance at 64 percent in 2018. Nearly one year later, Schreiber expects it to be a similar concern when respondents are polled again.

“We still have too little time and it's a year later,” Schreiber said. “We expect 50 percent of covered companies are still in the process of GDPR compliance and it will likely go on for another couple of years.”

Companies in the EU expressed higher levels of confidence to address the GDPR’s data breach notification requirements. While the European companies felt more assured than their counterparts in the U.S., reality set in for the member states.

“What we began to understand is that EU companies never reported data breaches,” Schreiber said. “They don’t use forensic vendors they don’t understand malware vectors and attack coordinates. It has taken us up to a decade to understand it and we are still grappling with it. The idea that EU companies could manage a 72-hour notification requirement was optimistic at best.”

Some of the concerns companies had around their GDPR obligations have not become the impediments they were feared to be. Operationalizing the right to be forgotten was only second to preparing for data breach notifications as the GDPR obligation that post the greatest risk. Schreiber said while his firm has seen data subject access requests, the RTBF has not factored into many of those inquiries in the first year of the GDPR.

There are still plenty of GDPR-related issues for organizations to tackle. Schreiber cited the identification of GDPR scope and coordinating GDPR compliance across decentralized organizations, the appointment of representatives within the EU, and determining the proper role of data protection officers as some of the tougher issues entities face in the road ahead.

Schreiber said some companies mistakenly believe since they do not have an establishment in the EU, they do not need to appoint a DPO at all, and that an EU representative would suffice. However, these organizations do not understand that the two position do not have the same obligations, and those entities cannot punt the DPO problem down the line anymore.

All these topics will continue to be fleshed out as privacy professionals enter year two of the GDPR era. Schreiber told attendees of the KnowledgeNet McDermott Will & Emery and Ponemon have started to finalize the questions for a new edition of their GDPR survey. For this year’s study, participants will include privacy professionals from Japan and China to examine any potential difference in the way their organizations have handled the GDPR. The law firm and Ponemon expect the survey questions to be ready around the time the IAPP Global Privacy Summit kicks off this spring.