The official deadline for General Data Protection Regulation (GDPR) preparations falls on the Memorial Day holiday weekend in the United States. As you’ve discovered if you’ve been wading through GDPR preparations for the past year or so, this is not a set-it-and-forget-it regulation.
GDPR, with its unprecedented international reach and focus on individual data privacy rights, represents an ongoing commitment to protecting sensitive data; providing data subjects with access and control over their information; and continuously monitoring and improving all parts of the data ecosystem.
Each of these tasks is enormous and endless, and the potential penalties for compliance failures are significant. Many companies won’t be completely compliant before the deadline and the executive team, including the CFO, will need to set priorities, conduct gap analyses, and get serious about meeting responsibilities.
During the early phase of enforcement, information commissioners in charge of overseeing GDPR compliance in each country will be looking for flagrant violations to emphasize the gravity of the rules and make examples of negligent organizations.
In other words, the next several months would be a particularly bad time to experience a bad data breach, especially if your organization’s GDPR response is slow, ineffectual, or incomplete.
The GDPR affects any organization that handles the personal data of European Union (EU) residents, regardless of where it is processed. The rules add another layer of complexity, not to mention potential cost and associated resources, to the issue of critical information asset management — a problem that so many organizations are already struggling to address.
However, organizations will benefit from the uniformity introduced by the reform. It may also allow them to avoid having to circumnavigate the current array of often-contradictory national data-protection laws.
There will also be worldwide benefits as countries in other regions dedicate more attention to the defense of mission-critical assets. At the Information Security Forum (ISF), we believe that the GDPR has the potential to serve as a healthy, scalable, and exportable regime that could become an international benchmark.
U.S. businesses that fully commit themselves to GDPR compliance will be ready for regulations that may emerge in response to Equifax, Facebook, election interference, and whatever big data scandal comes next. Even without new regulations, given the current pushback, American businesses should seriously consider the problem of damaged public trust. They need to figure out how to maintain and project a reputation for corporate responsibility.
Leading organizations are looking beyond May 25, by extending the breadth of GDPR compliance programs to leverage additional benefits. Examples include:
- Consolidating activities into broader information governance programs
- Embedding information security into the design of business applications and technical infrastructure
- Improving data protection and privacy practices
- Extending information security’s reach within the business
This is definitely not the time to be talking about “winding down” GDPR efforts, no matter the organization’s level of readiness. That would be the equivalent of walking off the racetrack just as the start signal is given.
That’s because that we never know which way regulators and legislators are going to go until they act. Also, data breaches can happen anytime, to any company. Now is a bad time to bet that GDPR enforcement won’t affect your organization.
In the event of a complaint, breach, or audit, information commissioners will not tolerate “I didn’t know” or “I’ll have to look into it, I run a large organization” as answers. Organizations have to know, have to be confident that they have the right processes in place, and have to be able to defend them as being reasonable and compliant.
Supervisory authorities are government-appointed bodies that have powers to inspect, enforce, and penalize the processing of personal data. In the United States, a number of authorities enforce data protection requirements, most notably the Federal Trade Commission (FTC), which has substantial powers.
Supervisory authorities will investigate any complaint that they receive through a variety of measures, such as audits and reviews of certifications and codes of conduct. Complaints may be received not only from the data subjects themselves but also from any organization or association that chooses to complain or has been chosen by a data subject to represent their interests.
These authorities have the ability to issue warnings and reprimands to data controllers or processors. Far more substantial powers include compelling an organization to process data in a certain manner or to cease processing altogether. They can also force an organization to communicate data breaches to the affected data subjects.
Especially for U.S. companies, there’s not much help to be found through government or regulatory agencies. This is a risk best managed by establishing an enterprise-wide GDPR program.
So what should an organization be doing now that the heat is on?
First, if the organization hasn’t already, figure out where all customer (individual) data is. A business cannot protect and defend data if it doesn’t know it exists, where it is stored, and how it is used and processed.
Second, conduct a gap analysis. If a company is not in good data shape, management must identify the key areas that require assessment and remediation, and tick those off the list as quickly and thoroughly as possible. At this point, the organization will incur some costs: it will need to focus resources on the gaps and will probably need some external support from GDPR experts.
The organization should also aim for complete visibility into the current state and a detailed plan for what it wants to achieve and how to move expeditiously toward its goals.
Set up regular review processes, document all efforts, and make sure that all stakeholders are on board. They need to understand the rules and the consequences of not following them.
For companies that have been working diligently on preparations and are essentially compliant, this is the time to focus on the finer points of the regulation, like data subject access request procedures (when individuals request access to personal data that a company is collecting on them).
Companies also need to put policies and processes in place to ensure that the ecosystem of service providers, vendors, and partners can be managed in a comprehensive but streamlined manner.
Larger companies should have a data protection officer in place, and small businesses should assign equivalent responsibilities to a senior employee, retaining outside expert help when needed.
While every organization should judge the risks and rewards of its own data protection investments, the GDPR offers a unique opportunity to translate necessary compliance actions into tangible business benefit. The companies that will benefit from the GDPR are the ones that structure programs to exploit these opportunities and to develop the resilience to meet future regulatory challenges, consumer expectations, partner requirements, and threats.
Steve Durbin is managing director of the Information Security Forum (ISF), a global consortium of Fortune 500 and Forbes 2000 organizations that collaborate on security research, standards, and best practices. Durbin’s main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media.
The ISF has published The ISF’s Implementation Guide for GDPR, available for free. The guide walks organizations through the preparation process.