Many IT leaders are worried about the General Data Protection Regulation (GDPR) law.
The European Union (EU) calls GDPR the "most important change in data privacy regulation in 20 years." Passed in April 2016, the EU law will become enforceable on May 25, 2018, which means companies are quickly running out of time to prepare.
In Ovum research commissioned by SaaS provider Intralinks, 52% of the IT decision-makers surveyed said they believe GDPR will result in business fines for their companies. In addition, 63% of respondents said the law would make it harder for US businesses to compete and 67% said the law will force them to make changes to their EU business strategy.
A separate 2017 study conducted by PwC found that 54% of executives at large enterprises said GDPR compliance is their top data privacy and security priority, and 38% more said that while GDPR wasn't their number one agenda item, it was one of the most important. Only 7% said complying with GDPR mandates wasn't a top concern.
The GDPR standardizes data privacy protections throughout Europe. It also imposes stricter regulations on all businesses that collect or process the personal data of EU residents. The full text of the law runs 260 pages long, but some of its key provisions include the following:
New rules for obtaining consent and allowing people to withdraw consent for data collection
Although GDPR is an EU regulation, it applies to organizations all around the world. And those companies that aren't in compliance by May 25, 2018, will face penalties of up to $20 million euros or "4% of the total worldwide annual turnover of the preceding financial year, whichever is higher."
What should companies be doing to get ready for GDPR? Experts recommend several steps that are covered in the following slides.
1. Start Discussions Now
If your organization hasn't begun preparing for GDPR, you absolutely need to get started today.
The first step is to raise awareness about the law among key stakeholders within your company, including IT leaders involved in privacy and security. In its list of steps organizations should take to comply with GDPR, the UK's Information Commissioner's Office (ICO) puts "awareness" at number one, advising, "You should make sure that decision makers and key people in your organization are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have."
Organizations may also need talk with key suppliers about the impact of GDPR. The Ovum report concludes with an admonition to "start discussions now with existing technology and service providers about their plans to cater for new legislative requirements."
2. Determine If GDPR Applies to You
The GDPR regulations are so sweeping that they apply to nearly every company doing business internationally — and they may even apply to some small businesses that don't realize they are bound by the law.
In general, the law applies to data controllers (organizations that collect data) and data processors (third-party organizations and cloud computing providers that process data for other organizations) if they either have facilities in the EU or have any personal data relating to any person who resides in the EU. Personal data can include names, home addresses, photos, social networking posts and lots of other information. So, for example, if you have a single employee or contractor currently living in the EU (even if he or she isn't a citizen of an EU country) and store that person’s home address in your systems, you will need to comply with GDPR. Or if you run a website with a public forum that can be used by people in the EU, you too likely need to comply with GDPR.
The regulations are complicated, however, so if you aren't sure whether your company is covered by GDPR or not, your best bet is to consult with a lawyer who specializes in international law or privacy regulations.
3. Perform a Thorough Review
If your company does fall under GDPR regulations (and you probably do), many experts suggest undertaking a thorough review of the data you currently have that might be covered by the law. The ICO recommends, "You should document what personal data you hold, where it came from and who you share it with. You may need to organize an information audit."
As part of this process, you may also want to conduct a privacy risk assessment. The Ovum report says, "The privacy risk assessment should begin by classifying information into broad categories (PII, company confidential information, for example) and mapping this to existing business processes and related geographies." You’ll also want to note the current data protection capabilities you have already put in place.
4. Allocate a Budget
Once you understand how much personal information you hold and what related risks you might face, you can do a better job planning for how much compliance will cost. Be sure to include costs for new personnel, outside consultants and attorneys, as well as any new technology or services you will need to adequately protect personal information.
In the Ovum survey, 70% of respondents said that their companies would need to increase their privacy and security spending in order to comply with GDPR, and 30% of respondents believed they would need to increase budgets by more than 10%.
The PwC report gets more specific in its budget numbers. Among its respondents, 77% of companies said that, as a result of GDPR, their total data privacy budgets would be $1 million or more, and 9% expected to spend more than $10 million to achieve compliance.
5. Hire a Data Protection Officer
Of all the regulations included in the GDPR law, the requirement to name a data protection officer (DPO) has been one of the most controversial and the least well understood. The law states that you must have a DPO if you are a "public body" or if your core activities involve "regular and systematic monitoring of data subjects on a large scale." Those terms are fairly broad and nebulous, and even though the EU has issued more guidance, some companies remain unsure whether they need to appoint a DPO.
For companies that do need to have a DPO, the person in the position must be able to act independently and report to people at the highest levels of the company. DPOs also need to have expert knowledge about data protection and the relevant laws, and they can't be fired for doing their jobs. A DPO can be a contractor or someone with another role within the organization, but he or she can't be the CEO, CFO or the head of marketing, IT or human resources.
6. Develop a Strategy for GDPR Compliance
One of the DPO’s first responsibilities will be to create an overarching strategy for complying with the many provisions of the GDPR. Armed with the information uncovered during the earlier review, the DPO will need to conduct a gap assessment to determine where the organization is already in compliance with the law and where additional measures need to be put into place. This process will involve working closely with IT and members of management. Your strategy should include a data breach incident response plan that includes notifying affected individuals within 72 hours of a breach discovery.
7. Put Appropriate Technology, Policies and Procedures in Place
Once a strategy has been written, the next step is to put it into practice. In order to comply with GPDR, most organizations are going to have to do things a little differently. When surveyed by Ovum, 53% of respondents said that they believed they would need to adopt new technologies in order to comply, and 51% said they would amend and adapt their existing data privacy and protection policies.
Experts caution that organizations shouldn’t fall into the potential trap of doing the bare minimum to achieve compliance. For example, a SANS Institute white paper written by attorney Benjamin Wright warns that companies should evaluate security technologies “not only to achieve compliance with the GDPR’s security expectations, but also to prevent a breach from ever happening.”
8. Train Your Employees
Employee training is another key element in GDPR compliance. Employees need to understand the basic requirements of the law, as well as how company policies and procedures will need to change in order to achieve compliance. In the Ovum survey, 55% of respondents said they were planning new training for employees around GDPR. This training will likely need to be an ongoing part of the corporate education program in order to ensure that employee knowledge remains fresh and that new hires are aware of their legal responsibilities.
9. Establish a Track Record of Compliance
Most experts agree that organizations shouldn’t wait until the deadline to comply with GDPR. Instead, they should make the changes necessary as soon as possible so that they can gain experience with the new practices and technologies before they face the risk of fines.
In the SANS paper, attorney Benjamin Wright advises, “Although the GDPR formally goes into effect in May 2018, an organization would be wise to begin compliance measures now. Undertaking meaningful steps toward comprehensive security compliance demonstrates to courts and regulators that an organization is a responsible steward of data and potentially worthy of lenient treatment if security shortcomings were to come to light, whether before May 2018 or afterward.”
10. Monitor Guidance from EU Countries
As the GDPR deadline approaches, regulators from the EU and the individual EU countries have been issuing additional guidance to help companies understand the parts of the law that were not entirely clear. Companies need to make sure that they are staying abreast of these developments and altering their data protection practices appropriately. And, they will need to continue monitoring legal and regulatory modifications that may occur after GDPR takes effect.
Cynthia Harvey is a freelance writer and editor based in the Detroit area. She has been covering the technology industry for more than fifteen years. View Full Bio