GDPR Compliance: Is It Becoming Mission Impossible for Businesses?

The question of GDPR compliance challenges continues to dominate conversations across the information security industry. As the regulation reshapes how organizations handle and store data, many are wondering if the task is simply too daunting. Recently, four industry experts gathered to dissect the most pressing issues surrounding this landmark regulation.

Jaspreet Singh, CEO and founder of Druva, a cloud delivery vendor, noted that GDPR introduces multiple factors affecting cloud operations. He stressed that compliance is non-negotiable for anyone working in the cloud. Singh highlighted four critical areas: data location, sensitive information identification, breach notification, and the right to be forgotten. The right to be forgotten, he argued, poses a significant challenge for data processors who maintain multiple copies of data. Cleaning up systems to comply can feel almost impossible.

Where Is My Data? The Core Concern for GDPR Compliance

One of the most persistent GDPR compliance challenges revolves around data location. Steve Maltby, director of sales at Oriium, pointed out that when data moves beyond the corporate perimeter, knowing exactly where it resides becomes difficult. He emphasized the need to enforce policies on endpoint devices, working closely with partners to track data.

Neil Stobart, global technical director of Cloudian, highlighted a transatlantic complication. In the United States, there is no single federal data protection law, leaving companies to do their best. This approach conflicts directly with GDPR’s stringent requirements. Stobart warned that using US-owned data centers raises concerns, as any entity can be subpoenaed. The European Union remains uneasy about this, especially after the collapse of the Safe Harbor framework. He noted that a Canadian data center provider is already offering services to US companies, bypassing some of these issues.

Darron Gibbard, chief technology security officer at Qualys, offered a glimmer of hope. Although Privacy Shield fell apart, the model clauses within it remain valid. Organizations can still use these clauses to protect data leaving the EU via cloud or other mechanisms. This provides a potential path forward for cross-border data transfers.

Will GDPR Make Businesses Care More About Data Location?

Stobart expressed doubt that smaller businesses fully grasp what GDPR requires. He believes many lack the resources to understand and implement the necessary measures. Gibbard, drawing on his experience in financial services, noted that legal teams often drive GDPR initiatives. The C-suite focuses on the potential fines, which can reach up to 4% of global annual turnover. This financial threat has sparked early conversations about identifying data both inside and outside the organization.

Gibbard described the process of mapping data as one of the most time-consuming tasks for information security teams. It involves working through the entire supply chain, including third and fourth parties, to understand end-to-end data usage. Ensuring data stays within the EU adds another layer of complexity. Many organizations will struggle to complete this mapping exercise effectively.

How Prepared Are Businesses for GDPR Compliance?

When asked about readiness, Gibbard estimated that only 10% of businesses are truly prepared for GDPR compliance challenges. Stobart agreed that heavily regulated industries will likely be ready, but smaller enterprises will face significant hurdles. He also raised concerns about the lack of clarity on when a data protection officer is required. Until a minimum employee number is established, this remains an unresolved issue.

Stobart shared an anecdote about a business owner who initially calculated that the fine for non-compliance was less than the cost of implementation. He decided to take the risk. However, after reconsidering the potential financial and reputational damage, he changed his mind. The fines, Stobart noted, are a powerful motivator—money talks. Gibbard added that brand impact is another critical factor. A public breach can erode customer trust far beyond any monetary penalty.

Will GDPR Set a New Standard for Data Protection?

Singh pointed out that US companies are already familiar with regulations like HIPAA. For them, GDPR may not represent a massive shift. He also noted that the FBI actively pursues companies that fail to report ransomware attacks or breaches. Non-disclosure can have cascading effects on other organizations and suppliers.

Gibbard observed that in financial services, standardized breach notifications exist through regulators like the FCA or PRA. However, public notifications are not yet common. Consumers want transparency: how is their data being handled, where is it going, and what happened if it is lost? The process of handling access requests will be a massive undertaking. Locating data across multiple systems—databases, emails, scanned documents—is no small feat.

Stobart described this task as “almost mission impossible.” He illustrated the point with a hypothetical scenario: a company receives a request from an individual named Neil Stobart. Running a single query might identify all scanned letters, but for a small company, this level of effort is unrealistic. This brings the discussion back to the fundamental challenge of data location.

Singh emphasized the need for processes that can identify and notify breaches promptly. Gibbard noted that breach notification timelines remain uncertain, with different countries implementing varying rules. Customers want to understand the “blast radius” of a compromise—what other systems or data were affected. Knowing where data resides is essential for this level of transparency.

In the end, the conversation circled back to the same point: understanding data location is the foundation of GDPR compliance. Without it, organizations cannot effectively respond to access requests, breach notifications, or the right to be forgotten. The regulation affects everyone, and there is no escaping its demands. For more insights on data protection strategies, read our guide on data protection best practices and explore GDPR compliance checklist for actionable steps.