SumTotal Blog

GDPR Enforcement. Were Companies Ready?

August 14, 2018


The General Data Protection Regulation (GDPR) came into effect May 25th this year. Designed to harmonise data privacy laws across Europe and to protect and empower all European Union citizens’ data privacy, it is reshaping the way organisations approach data privacy.

Before the May deadline, organisations everywhere were scrambling to understand and implement all the required changes. Everywhere the main topic of conversation was the impact GDPR will have, with much of this attention focused around the significant financial penalty that looms threateningly for anyone not in compliance.

Now it’s August. The deadline is well and truly passed. How did organisations fare?

TrustArc, a leader in data privacy compliance and risk management solutions took a look at the results in their EU GDPR report.  The report highlights that the results differ by country and that most organisations are still working their way through all the many different sections the regulation covers.

Here are six key insights.

  • Only 20% of companies have completed their GDPR implementations; 96% have started and 53% are in the implementation phase. By the end of 2018, the percentage of all respondents expecting to be compliant (including those companies already compliant) will be 76% EU, 76% UK and 68% US.
  • Companies are most compliant with updating policies and procedures and cookie consent management and least compliant with vendor risk management and international data transfer.
  • The complexity of the regulation and the lack of in-house expertise to meet GDPR regulations was the most significant challenge.
  • Despite all the attention on the financial penalties for non-compliance, the primary motivator for companies to comply is support of corporate values and meeting the expectations of their customers and partners.
  • As we move forward, the top two concerns now are maintaining GDPR compliance and the ability to demonstrate compliance, such as with a GDPR certification.
  • The majority are positive about the impact of GDPR on their business

The findings of the report suggest that although the implementation process is formidable and the regulation intricate, the benefits outweigh the demands.

The work of GDPR compliance is ongoing, so organisations with Human Capital Management (HCM) solutions that can assist with this are hugely beneficial. SumTotal offers such assistance.

The latest enhancements to our solution come with the required functionality to facilitate GDPR compliance. These include:

Consent: Employees must consent to the collection of personal data. SumTotal’s solution allows an administrator to configure an attestation page that provides employees with the ability to confirm their consent before the use of the application. This attestation page is editable and multiple pages are configurable for different geographic regions. This function allows the employer to easily track an employee’s consent supporting the requirement of tracking all employee’s consent to collect data.


Portability of data: Employers must provide an employee, current or departing, with a copy of all their data that was collected. This information must be provided in a common machine-readable format which the employee can bring to their new employer if they choose to do so. With SumTotal, an administrator can quickly run a report on an employee that includes all personal data collected for that employee. This report can then be exported to a standard format such as a comma-separated values file (CSV) and given to the employee.


Right to be forgotten: When an employee leaves an organisation, they have the right to be forgotten. With SumTotal’s solution, an administrator can permanently delete any individual user’s personal data directly in the application.  Please note that customers should balance the right to be forgotten against any requirement retentions for legal, legislative and compliance purposes.


Now that GDPR is well underway, companies are gearing up for the proposed ePrivacy Regulation, a separate regulation aimed at protecting the confidentially of electronic communications in Europe. How this will work with GDPR remains to be seen, but for now, we know that as organisations continue to work towards compliance, they need to be aware that further changes lie ahead.

To see how the SumTotal solution works with GDPR compliance, register here for a free demo.

Leave a reply: