Businesses Struggle to Negotiate GDPR Before, During and After Rollout

Businesses of all stripes continue to be dumbfounded by the European Union’s new mandatory GDPR laws.

Become a Subscriber

Please purchase a subscription to continue reading this article.

Subscribe Now

The General Data Protection Regulation, which went into effect on May 25, 2018, was passed in 2016 and is designed to safeguard the personal data of citizens in all EU member countries. The regulations apply whether or not the citizen is currently residing in the EU. In other words this set of regulations is designed to apply to any business with an internet presence seeking to use EU resident data to conduct business.

For many freewheeling internet companies, even starting to comply with GDPR is a daunting task, as the regulations touch so many aspects of data interaction.

At one recent peer to peer mentoring session at the 2018 RSA Conference about one month before the changeover, questions ranged from the broad “how can I ever do this” to more specific parsing of the definitions of arcane legal terms like “processor” and “controller.”

For those who are interested: Under the details of the law, a “processor” is a collector of data who must disclose information on the lawful basis and purpose of this collection, the length of storage time, and whether it is shared with third parties.

A controller is the person or entity which determines the purposes and means of processing personal data. A processor is a person or entity who processes personal data under the direction of the controller.

The nuances of these differences between controllers and processors are particularly vexing for apps and third party providers, which find themselves inhabiting both roles throughout the course of providing their services.

The law has added additional strain to business resources because of its vast scope. Whether it’s data collection, processing, handling, or application development, GDPR regulations will apply fully. Even more daunting than the scope was the lack of general consensus on what is and isn’t in scope at all.

Already the law has caused a few notable businesses to throw in the towel. Drawbridge, an identity management company, has divested from its media holdings in Europe. Klout, a social media rating service which shuddered in early May, was also rumored to be a victim of the legislation. If confusion persists, it’s doubtful that they will be the last.