‘When the Dust Doesn’t Settle’ – GDPR Compliance One Year In

13 Pages Posted: 24 May 2019

See all articles by Nathan Good

Nathan Good

Good Research

Ira Rubinstein

New York University (NYU) - Information Law Institute

Jared Maslin

Slalom Consulting

Date Written: April 27, 2019


The European Union’s General Data Protection Regulation (GDPR) took effect on May 25, 2018. In the year since then, companies have had mixed success in fully implementing it. Organizations’ experiences with the GDPR have varied depending on their industrial sector, global presence, and maturity. The same can be said for the many consultancies and third parties that companies have enlisted to support their compliance efforts. Based on our own experience with providing such support to companies seeking compliance, we have concluded that both consultancies and companies fall into two camps: Those expecting to complete large-scale GDPR efforts on or about May 25, 2018, and those who have realized that this date marked the beginning of a much longer, and possibly transformational journey toward data privacy. Some of this gap is a product of the GDPR’s uniqueness as compared with systems-level security controls, which are the bread and butter of many consulting firms. In contrast with Service Organization Controls (SOCs), the GDPR makes a concerted effort to refrain from prescribing rigid steps toward achieving data privacy compliance. This challenge is compounded by the continued realization that data privacy and data driven products are matters that are deeply engrained in the ways that large-scale organizations operate and generate competitive advantage in today’s global economic climate.

In this article, we identify and describe practices we have observed on a global scale and across industries as companies attempt to implement privacy requirements, address regulatory gaps, and navigate this new privacy landscape. We discuss technical, business, and process level constraints and opportunities for advancing the goal of embedding privacy into the product life cycle and provide examples for others to learn and build from.

Suggested Citation

Good, Nathan and Rubinstein, Ira and Maslin, Jared, ‘When the Dust Doesn’t Settle’ – GDPR Compliance One Year In (April 27, 2019). Available at SSRN: https://ssrn.com/abstract=3378874 or http://dx.doi.org/10.2139/ssrn.3378874

Nathan Good (Contact Author)

Good Research ( email )

828 San Pablo Ave
Suite 120D
United States

Ira Rubinstein

New York University (NYU) - Information Law Institute ( email )

40 Washington Square South
New York, NY 10012-1301
United States

Jared Maslin

Slalom Consulting ( email )

7800 Forsyth Boulevard Suite 850
St. Louis, MO 63105
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics