GDPR was implemented a year ago, which means it is time for an assessment. So far, fines have been minimal, but companies are still worried about complying with the privacy law.

More than a year after the European Union’s General Data Protection Regulation (GDPR) went into effect, many businesses still struggle to make sense of the wide-ranging privacy and data security rules.

Since GDPR went into effect in May 2018, fines have been minimal—at least if you’re not Google—with less than €1.2 million (US$1.4 million) in fines being levied on companies. The search giant, meanwhile, has been fined €50 million (US$56.3 million) by France’s data regulator for a lack of transparency and consent in advertising personalization.

Despite a lack of major fines, many companies remain concerned about GDPR compliance, with some observers expecting large fines as the regulations mature. And beyond the EU, other jurisdictions have used GDPR as a starting point for their own privacy laws. For example, Brazil approved its own General Data Protection Law in August 2018, a California privacy law is going into effect in 2020, Nevada passed a privacy law this year, and other states are considering similar laws.

[Also read: The first unintended consequences of GDPR ]

Beyond pop-up notifications

The most visible change since GDPR went into effect is the privacy notifications that pop up when you first visit a website, prompting you to click on a button to acknowledge that the site uses cookies. But GDPR goes much deeper than required cookie notifications.

These privacy notifications are the "very tip of the iceberg—the Band-Aids on a deep, gaping wound," says Anne P. Mitchell, a tech-focused lawyer and GDPR consultant. "Companies have had to start taking their data collection, storage, retention, and processing systems very seriously."

GDPR requires companies to change the way they deal with personal data. "My first name is personal data," Mitchell says. "My IP address is personal data. Pretty much any piece of information, no matter how small and seemingly inconsequential it is, is personal data if it can help in some way to identify me as an individual."

The regulation gives consumers the right to be informed about how companies are using their personal data, the right to see what personal data of theirs a company holds, and the right to correct inaccurate information about them. The GDPR also allows consumers to have their personal data removed from a company’s databases—the so-called right to be forgotten—and to restrict companies from using their personal data.

The regulations also give EU residents an implied right to an explanation when they are subject to an automated decision by artificial intelligence or other technologies.

If John Doe, a U.S. citizen, is signing up for your U.S.-based service or placing an order through your U.S.-based website while on an airplane flying over an EU country, by the language of GDPR, the data that John provides to you is covered by GDPR. Anne P. Mitchelltech-focused lawyer and GDPR consultant

All kinds of regulations

With the above only a partial list of what GDPR covers—the text covers 99 articles, or sections, in 11 chapters—many organizations continue to be zeroed in on compliance.

The breadth of GDPR rules forced companies to evaluate their data-handling practices and business processes at "every level," says Byron Rashed, vice president of marketing at network security vendor Centripetal.

In many cases, businesses hired GDPR consultants to assist with compliance and implement changes like data handling disclosures and new opt-ins for marketing communications, he says. Companies that hire vendors to handle their data security, opt-in privacy controls, and data handling functions need to ensure that their service-level agreements include GDPR compliance and liability protections, Rashed recommends.

Many businesses have put a new emphasis on protecting data, both in transit and at rest, and many put new controls on selling and sharing customer data, with some stopping the practice altogether. "Some sharing of data is still being done," with some companies still passing consumer data to partners, Rashed adds. "It will be interesting to see if any litigation comes out of this and what the outcome will be."

GDPR’s push for companies to anonymize personal data when possible is one area some companies are struggling with, says John Blamire, founder and chief security officer of the Falanx Group, a cybersecurity vendor. "Anonymizing vast stores of legacy data" can be difficult, he adds.

However, new technologies hitting the market can "cleanse" data stored in proprietary platforms, Blamire says. One such technology is the Furnace Ignite open source platform, which allows companies to filter stored data. It "enables quick extraction and sanitation of personal identifiable information to ensure our clients are conforming to regulatory compliance," he says.

Such data-filtering tools allow companies to scrub identifying information like Social Security and credit card numbers from consumer data when such information isn’t necessary for internal use.

Another sticky compliance issue is the requirement that companies delete the personal information of EU residents if they request it, adds Jim Liddle, CEO of Storage Made Easy, a cloud-based data storage vendor.

The effort is "time consuming and costly, and many companies still do not have their internal processes in place to do this without a tremendous amount of friction," Liddle says.

Technology vendors are gradually updating their existing products to embed GDPR compliance into them, he adds. But compliance is only partially a technology issue, with process changes also needed, he says.

"Technology on its own won’t necessarily keep companies safe," Liddle adds. "It is a philosophy on privacy, data governance, and data security that needs to be embedded inside of companies that deal with personal data."

There seems to be a difference in the way enterprises and small businesses have responded to GDPR, Liddle says. "Large businesses have thrown money at the problem, and to a certain extent, GDPR has generated its own cottage industry," he adds. "Smaller businesses, in some cases, have ignored it and, in others, have tried not to store any personal data."

Abandoning Europe

Some companies outside the EU have abandoned the European market. "You may well have seen, when visiting a site on the Internet, the message that denies access to the site because you have been detected as trying to access the site from the EU," says Liddle.

Lawyer Mitchell has also seen businesses shut off access to European customers, but she calls that strategy "incredibly short-sighted."

Those businesses can "still end up in hot water under GDPR," Mitchell says. "If John Doe, a U.S. citizen, is signing up for your U.S.-based service or placing an order through your U.S.-based website while on an airplane flying over an EU country, by the language of GDPR, the data that John provides to you is covered by GDPR."

GDPR doesn’t just cover citizens or residents of the EU but instead applies to all individuals "in the Union," without clarification on whether that means "sitting at a location within the EU boundaries at the time of data acquisition" or anchored in the EU by where an email address or telephone number originates, Mitchell says. "The ambiguity in GDPR is a big fat gotcha waiting to happen for non-EU businesses, at least until these things get clarified through either amendment or lawsuits."

All this focus on compliance issues has led to some shortages of GDPR specialists as companies scramble to adjust to the new rules. GDPR requires organizations with large-scale data processing operations to appoint a data protection officer (DPO) to oversee compliance efforts, notes Simon Fogg, a data privacy expert and legal analyst at Termly, a privacy compliance software vendor.

"This is a highly skilled and complex role that involves auditing, education, and being a point of contact for those inside and outside the organization for all aspects of GDPR compliance," Fogg says.

Shortage of experts

Because few people have the qualifications, hiring these DPOs has become a roadblock to GDPR compliance, Fogg adds.

Between late 2016 and early 2018, job listings on Indeed.com for DPOs rose by more than 700 percent as companies rushed to comply before GDPR went into effect. At that time, the International Association of Privacy Professionals (IAPP) predicted at least 75,000 DPOs would be required worldwide to keep companies compliant.

This turned out to be a conservative estimate, Fogg says, because in May, the IAPP reported that 500,000 organizations have registered DPOs. "Becoming GDPR compliant requires the right team—and the companies that focused on staffing early are the ones that found the GDPR easier to deal with," he adds.

In addition, focusing on hiring privacy and compliance professionals, many companies have had to overhaul their security architecture to meet the requirements in Article 32 of the regulations, Fogg says.

German social networking site Knuddels.de was fined for violating Article 32 because a hacker was able to steal the personal data of 330,000 users, Mitchell notes. The site paid a relatively small fine of €20,000, but it also spent much more, reportedly in the six-figure range, to improve its security. "Companies have found out—some, the hard way—that if big changes are necessary, it’s most cost-effective to make them as soon as possible," he says.

For businesses still struggling to deal with GDPR, the best advice may be to get outside help, adds Alexandra Marin, co-founder and director of design at CodeCrew, an email marketing agency.

While there have been many criticisms of GDPR, Marin sees the regulations as a positive step forward, particularly for legitimate businesses that market their services to willing customers.

Many e-commerce businesses were "scared to the core" about the GDPR and follow-on privacy regulations, Marin says. "But the reality … is that it did more good than bad to businesses that were true at heart," she adds. "Spammers got what they deserved, while businesses with a true mission and a clean marketing approach reaped the rewards of having more real estate in their clients' eyes, hearts, and email inboxes."

GDPR takes a reasonable approach to online marketing, Marin adds.

"Were you buying lists off the Internet? Were you using black-hat techniques to essentially steal those email addresses? Chances are that you either listened to the wrong folks or you need to check your principles. In the end, the common-sense approach, where you only contact people who want to hear from you, won."

GDPR one year later: Lessons for leaders