ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > GDPR Deadline Day: Not Compliant Yet?

GDPR Deadline Day: Not Compliant Yet?

Raef Meeuwisse, ISACA expert speaker and author, “Cybersecurity for Beginners”
| Posted at 7:32 AM by ISACA News | Category: Privacy | Permalink | Email this Post | Comments (0)

Raef MeeuwisseThere are lies, darned lies, and then there are GDPR poll statistics. So, when ISACA recently approached me to help analyze a new poll on GDPR readiness, I was initially apprehensive.

After all, how many organizations are really expecting to be fully compliant with the new EU regulation on data protection by today’s deadline? Previous poll results from other sources have ranged as high as 90% and as low as 10%.

The significant variation in results might reflect the way that the questions are framed by different surveys, and moreover, whether the respondent believed that the results really were going to stay anonymous. When non-compliance with the regulation can result in fines of up to €20 million or 4% of global turnover (whichever is greater), very few organizations will openly admit that their compliance process expects to break the law and run some of their data illegally for a while.

Fortunately, the good folks at ISACA – supported by YOU (members of the ISACA professional community and readers of the ISACA Now blog) – came through with a set of results that have been far more insightful. The ISACA GDPR readiness poll is based on anonymous responses from thousands of relevant practitioners around the world.

Here are some of the survey highlights:

How many of us think our organizations will be ready by today? According to the ISACA GDPR readiness poll, only 29% of us think our organizations will be GDPR ready on time.

But wait, there’s more: 17% think their organization would not achieve compliance until at least 2019 or later and a substantial 31% did not know when their organization would achieve compliance.

When it comes to late-stage compliance remediation, the good news is that your organization may not be alone. However, with the unprecedented levels of potential financial penalty for non-compliance, it is probably not a good idea to remediate slowly.

However, fast remediation also has substantial downsides. For example, how many organizations have been forced to delete huge numbers of customer records simply because they rushed out a very badly worded opt-in request?

Meanwhile, in the rush to become compliant, there is at least a personal upside to this. Most of us are celebrating with each opt-in email we receive and ignore. Less junk in the mailbox – hurray!

(How I read most GDPR emails: “Would you like us to continue to send you annoying spam? Please? – Click here for YES or just ignore this email to have your personal information deleted by us.)

What about the companies not directly asking people for an opt-in but simply updating their privacy policy terms and conditions, then providing a hard-to-find, complex series of PAUSE options (instead of opt-out) buried somewhere in their website application interface? Will that approach pay off, or are they lining themselves up for future non-compliance claims? Hmmm.

If your organization is not yet GDPR-compliant, you can take some degree of assurance from YANA - the fact that You Are Not Alone. In fact, right now, you are probably part of the non-compliant majority. However, be careful, because that means you are non-compliant with a piece of legislation with a penalty level that for many organizations could be an extinction-level event.

So, who will be the first targets for deep scrutiny of their GDPR approach by the relevant EU supervisory authorities? I believe this will be any organization discovering a substantial data breach soon after 25 May, in which the same organization also appears to have intentionally ignored or misinterpreted their GDPR obligations.

It is also wise to consider this: Everyone, from unethical hackers to unhappy customers and disgruntled employees, past and present, will soon realize that the easiest way to cause financial pain to any organization that has ignored some or all of their GDPR obligations will be through their stashes of non-compliant personal information.

Editor’s note: View more information on ISACA’s GDPR preparedness poll. For additional ISACA resources on GDPR, visit


There are no comments yet for this post.
You must be logged in and a member to post a comment to this blog.