Legal 'gray areas' holding back GDPR compliance program maturity

The EU's General Data Protection Regulation went into effect 90 days ago and has been on companies' radar for years as its privacy mandates were hammered out by regulators. But despite the regulation's high profile, many companies' GDPR compliance programs still leave something to be desired, according to attorney Nicholas Merker, a partner and co-chair of Ice Miller's Data Security and Privacy Practice.

There are several reasons for the trend, Merker said, including legal "gray areas" that likely hold companies back from fully integrating the privacy rules into their IT processes. In part one of this two-part Q&A, Merker provides a 90-day assessment of companies' GDPR program development -- or lack thereof -- and how companies that are compliant are seeing big improvements in user privacy.

Editor's note: The following has been edited for clarity and brevity.

Now that GDPR has been in place for almost three months, how are companies doing with being compliant? Are there any particular pain points you are seeing?

Nicholas Merker: A lot of companies haven't even started a GDPR compliance program, even though they may be multinational and they should be compliant. In addition, I think among the pain points people are feeling is that they started too late, so they're trying to gather all of the data that you need in order to actually get started on a GDPR compliance program.

Really, the first thing that you want to do under GDPR is a data inventory -- and there are clients that started in, let's say February, but data inventory is a project that's still going on right now.

Nicholas Merker

Do you think it's going to take a major GDPR violation and accompanying fine before companies take the regulation seriously?

Merker: I hope not, but that will probably be the item that gets these companies that aren't doing anything moving, unfortunately. One of the other issues right now is that we don't really have very much guidance out there from the regulators. We're not sure what they're going to be looking for. We're not really sure how they're interpreting certain gray areas within GDPR.

There's been some regulators that have been really good -- for example, the Information Commissioner's Office has some great guidance about consent and other things out there, but for how much of GDPR is kind of gray at the moment, each particular industry is kind of deciding the way that should be interpreted.

I think you're going to see some guidance come down that really forces companies that have spent a lot of time and effort in one direction then have to make some substantive changes because of that guidance.

You're seeing a lot of new jobs being created and companies who have never thought about privacy before really taking it seriously now.

It's certainly early on, but are the regulations working and protecting consumer privacy, or have there been any noticeable holes in the regulations?

Merker: The regulation has, like I said, a lot of gray area, but it has been a great thing for privacy as a whole, for a variety of reasons. The first is, and you saw this in the United States, we had our first state law that looks like an omnibus privacy law come into California because of GDPR's effect. We're seeing improvements that should be coming to Privacy Shield in September in the United States.

We're seeing a movement, slowly in the United States, to try to catch up to the rest of the world. And it's because the GDPR was in the news so much and companies spend so much money on it that you're starting to see that migration. In addition, you're seeing a lot of new jobs being created and companies who have never thought about privacy before really taking it seriously now.

Although I said that there are some companies that haven't done anything, there are some companies that have done quite a lot in GDPR compliance. They've built out whole teams. They spent tons and tons of money to get compliant and think about consumer rights. You're also seeing just a general rise in kind of consumer understanding of what they should expect from companies with privacy. I don't think the Cambridge Analytica and other types of news stories that have come out in the last couple months would have been taken as seriously but for the GDPR coming in and starting to shine the light on privacy, which is what industry really needed.