100% Privacy compliance is not possible
Many entrepreneurs and executives shudder at the thought of the fines and liabilities associated with GDPR. So, it's natural to ask that one question: "Are we now 100% compliant?"
But that's precisely the question you don't want to answer. Why not? The answer can only be 'no'. Why? Privacy legislation consists of open standards. Terms like 'adequate' and 'appropriate' create ambiguity. In many aspects, it's simply not yet known what is good enough. There are many opinions, highlighting the fact that things are still unclear. Even the regulator is not always consistent in its statements.
There are no fully developed frameworks to assess compliance against. Fortunately, the first sets of standards are becoming available, such as those from NOREA or CIP. However, these standards primarily assess the maturity of your privacy processes. In other words, 'whether you are doing well'. But they don't yet assess: 'are they effective'. Because try asking the question: 'what is the likelihood of a data breach occurring in my organization in the next year'. There is no framework that can answer that question.
Compliance is always a snapshot. Because if you are compliant today, will you be tomorrow? The world doesn't stand still. Interpretations and circumstances evolve, organizations evolve, society evolves...
Progress is being made on the first two points (consistent interpretations and compliance frameworks). But the last one is much more complex as the world is changing continuously. So yes, you can make steps to get more compliant, but 100% privacy compliance? No. That's not realistic.