With Europe’s General Data Protection Regulation (GDPR) law coming into effect in May, regulators who are tasked with enforcing the law have signaled they are not ready yet.
Reuters, citing seventeen of twenty-four authorities who responded to a survey, said they don't have the funding or lack the powers to enforce the rules under the GDPR. “We’ve realized that our resources were insufficient to cope with the new missions given by the GDPR,” Isabelle Falque-Pierrotin, president of France’s CNIL data privacy watchdog, said in an interview with Reuters. She said she will be asking her government for more resources and staff. According to Reuters, lots of regulators lack the powers because the governments haven’t updated the law to include ones that are Europe-wide. That process, noted the report, could take several months after the new rules are in effect, as of May 25. The majority of the survey respondents did say they would react when they get complaints and will investigate them if there is cause. A minority said they would proactively look into whether or not companies comply and deal out sanctions when there are obvious violations.
At the same time that regulators are signaling that they are not ready, so are merchants across Europe. Many merchants are reporting that they have yet to even think about how they will respond to the new rules. Some are playing the wait-and-see game, keeping an eye on others in the space for ideas; others are gambling with which rules to follow and which to ignore until the consequences of non-compliance become more clear. A few are lucky enough that their current practices will keep them compliant, so they won’t need to change a thing. GDPR’s regulatory ripple effect will touch organizations conducting business or having employees in the European Union.