There was definitely a “Y2K atmosphere” around GDPR when the May 25 go-live deadline was approaching. GCs were scrambling, corporate counsel and their law firms were preparing for the strict enforcement threats (and potential infringement costs). Some were more ready than others. Some companies weren't ready at all, and others didn't seem to care much.

In an article in Corporate Counsel earlier this year, it cited survey data that around 47%  of respondents reported that to comply with GDPR they must change data security standards; 45% said they must change their breach notification procedures; and 43% said they need to modify incident response plans.

As the deadline got closer, my inbox was filled every morning with news, updates, tips and dire predictions about the coming impact on companies and their providers. Even now, GDPR is an urgent issue, but the constant barrage of information in May was overwhelming. A search for clarity led me to the January 2018 issue of McKinsey On Risk report.

It reprinted, among many other topics, an online piece they did regarding GDPR, and added some very useful supplementary information regarding key facts. In re-reading this article, I realize just how concise and useful it is in combining a big-picture grasp of the issue with practical steps.

As Forrester noted in their recent Predictions 2018 research, many companies were not ready by the May 25 deadline, and a big chunk of those intentionally are not complying. But that doesn't preclude knowing the requirements. What follows are the elements as described by McKinsey:

Documentation. Organizations should maintain a record of data-processing activities and be ready to present it to the regulator at any time. Legal basis. All data processing should have a legal basis, such as the consent of the data subject or the need to fulfill a contract or legitimate business purpose.

Rights of data subjects. Organizations should implement rights such as the right to be forgotten (or, more accurately, to data erasure), the right to data portability, the right to object, the right to revoke consent, and the right to restrict processing.

Security. Organizations should protect data through means such as encryption or “pseudonymization” and have effective operational procedures and policies for handling them safely.

Third-party management. Vendors and suppliers, including outsourcing partners, should be required to protect personal data and should be monitored to ensure that they do so.

Privacy by design. Any organization planning a new technology, product, or service should consider data-protection requirements from the beginning of the development process.

Breach notification. Data breaches resulting in risk to individuals' rights and freedoms should be reported to the authorities within 72 hours, and subsequently to the data subjects as well in certain cases.

The biggest question that the GDPR raises in my mind is, is it too broad to be effective? It covers a lot of ground—both geographically and regulatory—and a lot of companies. Enforcement is going to be difficult, regardless of how stringent the rules are and how much authority is given to supervisory organizations in Europe.

This sentiment is also echoed in a Forbes article, “15 Unexpected Consequences Of GDPR,” according to Wayne Lonstein of VFT Solutions and a member of Forbes Technology Council, “… regional enforcement of global technology is an impossibility and will restrict—not enhance—privacy, freedom and innovation.”

If you consider how much data GDPR covers, and that includes any information that can be linked to an identifiable individual (there are a lot of individuals involved), the difficulties become apparent. The most worrisome point for me is that the GDPR allows individuals to pursue civil action for infringement, including class actions.

Once that snowball gets rolling, the repercussions will be enormous.

Norm Finkel is a partner, attorney and head of litigation at Schoenberg, Finkel, Newman and Rosenberg in Chicago. Finkel is not only an experienced commercial litigator, but also a legal and business adviser. He serves as general corporate counsel for companies, large and small, and also serves as trial and appellate counsel in federal and state courts throughout the United States. He serves as an arbitrator for the Circuit Court of Cook County, is an adjunct professor at Northwestern University School of Law and is active in a number of professional, charitable and civic organizations. Contact him at [email protected].