#1 Over half of companies are still not ready for GDPR.
To be honest, this number might even be higher. Anecdotal evidence from technology industry analysts and surveys of business leaders support this estimate too. I wouldn’t be surprised if a fair percentage of those who believe that they comply are actually not there yet, but are somewhere on the road to becoming compliant. We have to remember that the regulation is long and extremely complex; making the necessary changes cannot be accomplished overnight.
#2 The U.S. will NOT implement similar legislation anytime soon.
Right now, each state has some form of a data breach notification law which is a step in the right direction. However, at the federal level, this will be a slow process, as new regulation is unwelcome in some regions. As we’ve seen from news headlines over the past year, the majority of U.S. citizens’ private data has been compromised by cyber criminals and released “into the wild.” Yet, no real legislative changes have been made. Indeed, it will likely need to reach epidemic proportions before we see legislation here in the U.S.
#3 New companies will be created specifically aimed at addressing GDPR.
While many compliance-centric organizations are already zeroing in on this area, new companies designed to help small and medium business address GDPR will form. SMBs face even greater risk compared to large enterprises because they have less capabilities (fully staffed IT and legal teams). I predict that we will also see a boom in data discovery tools/offerings since organizations are struggling to find where their sensitive data lives, which is a necessary first step before they can protect it.
#4 Businesses are not prepared to respond to EU citizen complaints and requests.
I think this prediction will vary from country to country. For example, in the U.S., a majority of companies, except for the larger tech conglomerates, simply are not set up to respond to a high volume of citizen complaints. Based on a survey we conducted in late 2017, consumers in the UK have less awareness of the GDPR and many may not even be aware of their new rights. However, German consumers are more aware and engaged, so the rates of complaints might be higher than expected. Employees must be trained on how to access the necessary consumer information, as they could receive requests from data subjects at any time. Organizations that are not prepared to respond to requests within the one-month required timeframe might find themselves in hot water with their data protection authority.
#5 The jury is still out on which company will be the first to receive a fine.
While the first full day of enforcement saw privacy complaints against several tech companies, this won’t necessarily result in the first fines since they have deep pockets and strong legal resources to contest the penalties. It’s actually more likely that a small to medium enterprise will be the first to pay a fine due to their more limited resources. If I had to bet, I’d say an American tech company will be on the top of the list followed perhaps by a smaller telecom provider.