A recent industry report found that an overwhelming number of organizations in the U.S. and EU are unprepared for the EU General Data Protection Regulation, which becomes enforceable May 25, 2018. And, industry firm Gartner predicts that more than 50 percent of companies affected by the regulation will not be in full compliance by the end of 2018.
The GDPR broadens the scope of personal privacy laws to protect the data rights of E.U. residents, giving individuals greater control over who has their data and how they will use it. It’s an extension of data privacy laws that have been in existence for decades in Europe.
The GDPR is a substantial regulation with 99 articles that address how organizations capture, control and process personal information. Organizations must be completely compliant from day one, or face significant fines: up to 2-4% of global revenue. In addition, the reputational damage from non-compliance may be long lasting, or even insurmountable.
As organizations rush to ensure compliance before the deadline, there are a few common pitfalls they should look to avoid:
Assuming too much risk
According to industry analyst firm Ovum, more than 50 percent of global businesses believe they will be fined as a result of the GDPR. Many companies already believe they’ll be unable to meet the high cost of regulatory compliance, and as such, have opted to take a “bare minimum” approach, hoping they will fly under the radar.
This represents a high-risk tactic. Should a security breach occur or regulators come calling, the cost of non-compliance in terms of revenue and reputation would be much higher than the cost of implementing technology and processes. Fines could likely drive some small and medium-sized companies out of business, while the reputational damage to larger organizations will leave scars.
By contrast, taking the time and effort to become truly compliant would also have the positive “side effect” of creating a real data-driven culture, something most companies today aspire to but very few can confidently claim to have. This, in turn, would become the basis of better data accuracy, stronger security and in time, an improved (and potentially more resilient) corporate reputation.
Relying on encryption only
While many vendors have offered encryption software and services to help organizations secure personal data as it relates to the GDPR, rushing to encryption has its shortcomings. Encryption is a very IT-focused activity and while it affordably addresses some data protection challenges, it can’t address the full picture outlined by the GDPR. Protecting information about a data subject is not, fundamentally, a technical problem.
To successfully comply with GDPR, an organization must understand how personal data is being handled across the entire enterprise. This requires an end-to-end understanding of how data is captured, transformed, held, and destroyed. Excel may have (barely) worked in the past as a data processing tracking mechanism, but it cannot accommodate or scale to meet the complexity and volume of today’s data.
Organizations should establish a data governance framework that can help them understand what data they have, where it is, who is accountable for it, and the controls (including encryption) that they’ve applied to it. Once in place, this framework will ensure that newly acquired data will be accounted for, based on defined processes.
Data resides everywhere within in an organization and touches every business function. Therefore, it’s imperative that a business can identify and prioritize what data needs to be addressed. And rather than rush to encrypt, IT should focus first on securing systems. Once the business and technical landscape are defined, then they can work with a security expert to encrypt or delete the appropriate data.
All Stakeholders, all in
Don’t hand off data privacy and protection just to the IT or legal teams. It’s everybody’s business. “Privacy by design” requires the full participation of stakeholders across the organization. Every part of the organization has a role to play.
Business managers need to identify what data they use, where it lives and how they use it. Data teams need to establish protocols to secure personal data and design governance processes so that privacy by design can be sustained beyond immediate deadlines. IT needs to ensure the availability and resiliency of processing systems and services. HR needs to hire additional resources (while handling their data in a compliant way), train employees in how to identify data flows and help communicate new policies and procedures throughout the organization. The GDPR requires engagement from the entire organization to establish a culture of accountability that ensures the proper documentation and protections are in place.
When the GDPR comes into effect in less than 100 days, companies will not just be under the watchful eye of regulators. Individuals, whose personal data makes the global economy go round, will find themselves empowered by their new data rights and will most certainly exercise those rights. Proper planning now will help mitigate risk and prevent serious consequences, while also setting the organizations up for success.
photo credit: wuestenigel Orange Traffic Pylon on the road via photopin (license)