Binding contracts and model clauses
GDPR compliance goes beyond technical and procedural capabilities. Many companies are seeking special contracts to assure regulators and indemnify themselves. So-called model clauses, contracts created between companies and technology vendors to ensure certain data protection standards are met, are being adopted by 58 percent of respondents, says PwC’s Cline
But Cline also says that 75 percent of those surveyed are seeking binding corporate rules for EU cross-border compliance, which essentially allow companies to get an EU regulator to sign off on their data privacy program, policies and procedures. "This allows a company to transfer its European data around the world," Cline says. "It's higher bar [to reach] but it's more flexible in the long term."
Willemsen says that model clauses and binding corporate rules work best implemented together. "BCRs seem to be the explicit favorite of EU data protection authorities, although I still see organizations also revert to adoption of the standard contractual clauses (or ‘EU Model Clauses’). Some use them in addition to BCR with an overlapping scope, which I think is excellent."
Despite the three-year advance notice -- the EU announced GDPR in 2015 -- some enterprises are woefully behind schedule.
While most used the 2016 budget cycle to assess their data protection gaps and aim to fill those gaps in 2017, Cline says 23 percent of respondents hadn't started preparing to meet GDPR and will find it hard to catch-up. “American multinationals that have not taken significant steps to prepare for GDPR are already behind their peers,” Cline says.
This no surprise to Willemsen, who wrote in a September research note that over 50 percent of companies affected by the GDPR will not be in full compliance with its requirements by the end of 2018. However, rather than allocating a larger portion of their budget to meet GDPR in the next cycle, companies should dedicate a permanent budget for privacy compliance.
"This is the ethical way to do business," Willemsen says. "Good privacy safeguarding ... should be at the core of your operation, demonstrating value to both client and colleague. Similar to security, if you do it right, privacy [compliance] is a business enabler rather than a stumbling block for those who value consumer trust."
Sign up for CIO Asia eNewsletters.