While the EU's General Data Protection Regulation (GDPR) was a long time in the making, there are still many unanswered questions surrounding its impact. It is difficult to know how much the regulation, which comes online in May 2018, will change how international organizations manage data, for example, or whether European Union (EU) companies will even be ready for its implementation when the times comes.

Here is a look at three outstanding GDPR questions for 2018.

1. How will U.S. companies managing EU citizens' data handle automated processing?

When the GDPR comes into effect, it will apply to all U.S. companies handling EU citizen data. And almost immediately, the regulation will have an effect on how these companies process the EU data they store. Article 22 of the GDPR, for instance, mandates that EU citizens “shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affect him or her.”

This poses a problem for many U.S.-based companies, as automated processing is a core function of artificial intelligence (AI) technology regularly used across industries. Analytics platforms that look to benchmark legal services costs or allow law enforcement to uncover information about internet users, for instance, often use AI-powered automated processing and decision-making.

It is unknown how readily organizations will be able to change their use of such automating processing, or how quickly AI platforms can adapt to this new regulatory regime. But some U.S. organizations will need to heed automatic processing controls in the near future.

Beyond the GDPR, the EU may also be looking to regulate automatic processing in the EU-U.S. Privacy Shield. After the first EU-U.S. annual review of the trans-Atlantic data transfer agreement, the European Commission recommended “a study to collect factual evidence and further assess the relevance of automated decision-making for transfers carried out on the basis of the Privacy Shield.”

2. Will EU companies be ready for the GDPR?

Surprisingly, many organizations falling behind in their GDPR compliance efforts are ones that will be impacted by the regulation the most. According to the “Getting to GDPR Compliance: Risk Evaluation and Strategies for Mitigation” report by International Association of Privacy Professionals (IAPP), compliance at EU-headquarter organizations is less than ideal.

Taking into account survey responses from 500 in-house privacy professionals, the report found that while 84 percent of U.S. organizations planned to be compliant by May 2018, only 72 percent of EU organizations said the same. More U.S. organizations were also planning to be complaint by the end of March 2018 than their counterparts in the EU.

An October 2017 survey of over 800 corporate IT professionals across the United States, U.K. and EU conducted by IT community organization Spiceworks Inc. also found that EU organizations were falling behind even their U.K. counterparts in GDPR compliance efforts.

So what's behind the EU's slow crawl with the GDPR? Rita Heimes, research director at IAPP, told Legaltech News that “it probably has to do with not having the right staffing and right budget to get up to speed in time.”

“I think it's a matter of resources. It looks as though the U.S. organizations are appropriating quite a bit of resources towards compliance, a bit more than their counterparts in EU,” she added.

3. How will regulators enforce the GDPR?

While the broad scope and mandates of the GDPR are well-known, there is still the open question of how regulators will specifically enforce the rules when the GDPR comes online. The regulation can be unclear concerning the enforcement of some provisions, such as the “right to be forgotten.”

The situation has made it difficult to provide guidance on how organizations can comply with the GDPR in the near future. In August 2017, EDRM, the organization behind the Electronic Discovery Reference Model, announced an initiative to develop guidance for cross-border data transfers outside the scope of the Privacy Shield, and therefore regulated by the GDPR, though the effort is seen as a long-term endeavor.

Deena Coffman, managing director at BDO Consulting and an EDRM member who serves as project co-lead for the initiative, told Legaltech News that there may be “years of work needed” to continually update the guidance “as new [direction] is provided [from the EU] to address a full range of scenarios.”

“The GDPR, much like other regulations, could not be written to address every possible scenario and technology,” Coffman said. She expects EU agencies such as the Article 29 Data Protection Working Party “to continue issuing guidance over the years to better clarify or focus GDPR provisions.”

Still, noncompliance with the GDPR can result in a fine of up to 4 percent of an organization's annual global revenue. So it may benefit a company to open up a line of communication with EU regulators should any questions over compliance arise.

Speaking at the 2017 Association of Corporate Counsel's annual meeting, Lisa Zolidis, privacy counsel for the Americas region at Dell Inc., advised that “If you do think that you're in a gray area and you're not sure … you may consider talking to your lead regulatory authority, your lead data protection authority, and vet it out.”

What's more, Rohan Massey, partner at Ropes & Gray's privacy and cybersecurity practice in Europe, noted that despite questions over GDPR enforcement, there are still some clear requirements companies can easily meet from the start to signal that they are looking to comply with the regulation in good faith.

“There are certainty lots of steps that companies can be doing to ensure they are moving towards credible compliance, that they are adhering as most they can to the principles and obligations of the GDPR,” he said.

He added that any regulatory action against companies will likely aim to be “effective, proportional and dissuasive” and will take into account whether or not the company is taking a proactive approach to compliance. “If you have small accountability defects, and they're repetitive, the fines around those will build up.”