• United States




Going through the 7 stages of GDPR

Apr 27, 20186 mins
CompliancePrivacyTechnology Industry

How to cope with the pain and distress of compliance to the new General Data Protection Regulation (GDPR).

businessman with stress headache pain frustration
Credit: Thinkstock

Spring is here, finally, after a long and drawn-out winter. For most of us that’s great news, but some cybersecurity professionals may instead be overcome with a sense of dread. Why? Because the European Union’s General Data Protection Regulation (GDPR) becomes law in a matter of days.

Actually, it looks like more than just a few security leaders are experiencing a sinking feeling in the pit of their stomachs right about now. According to Crowd Research Partners’ 2018 GDPR Compliance Report, only 40 percent of organizations are either GDPR compliant or well on their way to reaching compliance by the May 25 deadline. The research firm attributes a lack of GDPR expertise and an overall underestimation of the effort required to meet the regulation as the culprits.

If your organization doesn’t find itself among the compliant, you might be mired in, what Deborah Hurley, a faculty member in the Brown University Executive Master in Cybersecurity (EMCS) program, refers to as one of the seven stages of GDPR. The following is a condensed version of how she describes these stages in a recent EMCS Podcast. (Perhaps they sound or feel familiar.) 

Stage 1: Shock and disbelief

The GDPR was adopted in 2016 with a two-year implementation window so that governments could get their legislation in order and companies could get to work on compliance. But even with a two-year warning, many companies are still either stunned with disbelief or in a state of full-on shock.

Fueling this problem is the fact that many U.S. companies don’t understand the full scope of the GDPR. Often, you’ll hear leaders say that they don’t have offices in the EU, therefore they aren’t affected by the regulation. But the scope of the GDPR is quite broad; it applies to companies with business operations in an EU member country, but also to those that offer goods and services to EU residents – even if they’re free. Take, for example, a website that gives information about horoscopes and collects visitors’ information; the GDPR applies to that site if any of those visitors live in an EU member country. If your organization collects information – personal data and even behavioral data (where visitors click on a web page, how long they stay on a page, etc.) – about a resident of an EU country, then the GDPR applies to you.

Stage 2: Denial

Despite this rather straightforward definition of which companies are affected by the GDPR, many remain in a state of denial. They think that regulators will go after the big fish – companies like Facebook and Google – because the penalties that those organizations would pay are much more substantial. The GDPR penalty for noncompliance or violation is 4 percent of the organization’s global turnover or 20 million euros, whichever is larger. So yes, that makes Facebook and Google interesting targets. But it doesn’t mean regulators won’t bother with the rest.

And it’s not just fines that regulators can impose. They can stop the processing of personal data, if they find an organization is in violation of the law. They can stop the transfer of personal data outside of the EU to a third country. And they can also stop business operations or bring lawsuits against violators. So they have a whole suite of enforcement abilities at their disposal.

Still, many companies opt to simply decide that they are, in fact, compliant and ignore all reasoning and rationale. Instead of working through these stages of GDPR to arrive at a positive outcome, they’re sticking their heads in the sand.

Stage 3: Pain

In this stage, as the shock wears off and denial gets old, companies start to wonder what they did to deserve such misery. They ask almost existential questions about the GDPR: Why is it being enforced? Does it have to apply to us? Do these regulators know how much it’s going to cost us to become compliant? Is this some sort of sick joke?

Stage 4: Anger

The noncompliant become defiant during this stage. Executives wonder aloud, “Who does the EU think they are? They can’t tell me what we can and can’t do with information that we collect!” Well, unfortunately, they can.

Stage 5: Bargaining

The noncompliant might also start to make bargains with higher forces that they know they can’t adhere to, like “Just let us be compliant and we’ll stop postponing our data governance initiatives!” Or they might think “We’ll just get our consultants to do it all!” Neither approach constitutes a compliance strategy.

Stage 6: Depression

As it begins to sink in with the noncompliant that they can’t change their status overnight, there’s a feeling of hopelessness. And this feeling is fed by irrational thoughts that make the problem seem worse than it is. People think “Wow, this is unlike any regulation we’ve ever seen before, how will we deal with it?” When, in fact, it didn’t come from nowhere. The GDPR is actually part of a continuum of legislation to protect personal data and privacy that’s been going on for more than 40 years. So, it’s an incremental amendment to a global trend, rather than something altogether different, and it’s important for people to realize that. It adds perspective.

Stage 7: Acceptance and hope

Once organizations have hit rock bottom, they may be able to begin to turn around and realize it’s time to assess and rebuild. By taking a good, hard, honest look at whether their organizations are affected by the GDPR, they can start to get a handle on compliance. Understanding the penalties that they might be up against and weighing them against the cost and effort required to become complaint, is also helpful. Then they can begin mapping out a plan.

Professor Hurley’s excellent encapsulation of GDPR helps us think about GDPR from the standpoint of a familiar model.

In brief, these are the steps to meeting the GDPR technical requirements:

  • Perform initial readiness assessments
  • Create a data mapping inventory
  • Perform privacy and data protection impact assessments
  • Address website tracking notification and consent
  • Put in place mechanisms for users to easily request personal data

There’s a lot to consider and forging a path to GDPR compliance takes more than technology know-how. It requires an understanding of policy and legal issues, customer relations, human behavior, and other factors. And it requires cybersecurity leaders working together with their executives to come up with a plan. But it beats sticking your head in the sand.


Alan Usas is Program Director and an Adjunct Professor of Computer Science for the Executive Master in Cybersecurity program at Brown University. The program equips industry leaders to address the global, technical, and policy challenges of cybersecurity issues. Alan is responsible for coordinating the work of academic, professional, and administrative personnel to establish the program and to achieve success and growth.

Earlier in his career, Alan led engineering teams in developing successful hardware and software products to secure networks, systems, and data. At Tandem Computers, now part of HP Enterprise, he managed software development for the SAFEGUARD access control system and led the development of cryptographic products for the Atalla Division. Alan held executive engineering positions at several startup companies that were designing enterprise access control and network security appliances.

Alan also held senior operational roles in information technology. In 2003, he joined Brown University as Assistant Vice President for Computing and Information Services where he had responsibility for the data, voice, and video network, core enterprise systems, and information security. Most recently, he was Chief Information Officer at the Yale School of Management. Additionally, he has held faculty appointments in electrical engineering and computer science at Princeton and Brown universities. Alan earned his bachelor’s at Princeton University and Master’s and Ph.D. at Stanford University, all in electrical engineering.

The opinions expressed in this blog are those of Alan Usas and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.