10 things you need to know about GDPR now
The rush is on. With enforcement set to begin in May 2018, organizations worldwide are scrambling to comply with the European Union’s General Data Protection Regulation (GDPR). For most, the trick will be to steer clear of penalties, while avoiding unpredictable expenses.
Based on the concept that people “own” data about them, GDPR mandates that businesses, governments, utilities, and charities handle people's data with care, meaning they must use it only with the explicit consent of its owners, provide it to them upon request, and inform them promptly should it be compromised. Enforcement will carry stiff penalties for noncompliance: the greater of €20 million or 4 percent of global annual revenue. Totals could theoretically reach billions of euros for the largest companies.
The EU describes GDPR as “the most important change in data privacy regulation in 20 years.” But you would never know it, judging from the responses to a recent survey, Privacy and the EU GDPR, conducted by Dimensional Research and TrustArc, which found that 61 percent of companies have not started the process of GDPR implementation. On the bright side, 23 percent of survey respondents said they have begun implementation, 11 percent said they are “well underway,” and 4 percent claimed to be fully compliant with GDPR.
Ready, willing, or not, the path to compliance must be taken, traversing unexplored territory that could contain unpleasant—and costly—surprises. Here are 10 things to watch out for:
1. Thinking GDPR does not apply to you. Be very careful with that assumption, even if your company does not have a subsidiary in the EU. Your company may be headquartered in Columbus, Ohio, but if you retain email addresses of German citizens, you must comply, just as if your company were based in Cologne. And if you think that the long arm of EU enforcement can’t reach across the Atlantic, think again. Many U.S. companies have EU subsidiaries as this is required to operate in the EU market. Moreover, ongoing enforcement cooperation under international law between the U.S. and the EU suggests that EU regulators will be able to fine U.S. companies.
2. Not knowing what data you have. “Many firms don’t know what data they have, why they have it, or whether it should be regarded as personal data,” says Duncan Brown, associate vice president for European infrastructure and security at IDC. That ignorance could be costly. The sheer effort of discovering the personally identifiable (PII) data you have and where it is stored could be very great indeed. Tools that perform data profiling and mapping will go a long way toward accomplishing that, but companies that have haphazard data management practices in place could face greater expense than they anticipate.
3. 72 hours?!? That’s the time you have to notify EU citizens should their data be compromised. Three days is a short turnaround—too short, according to one legal expert. “It will be untenable for companies to give notice that quickly,” says Colin Zick, a partner at law firm Foley Hoag in Boston. Before you throw up your hands in despair, keep in mind that the 72-hour clock starts ticking only after you discover the breach, not when it occurred, which in some cases could be a month or more earlier. And if the data is anonymized or encrypted, reporting is not required—but of course, those measures carry their own costs. And the biggest cost of a breach might be public perception. “While the fines are significant, a top hidden cost to a company being in breach is reputational damage—for example, the share price of Equifax dropped by 40 percent in the two weeks after their breach notification,” notes Felix Martin, security strategist at HPE Pointnext's Global Security Center of Excellence.
4. Team building. Many departments within a company are responsible for ensuring GDPR compliance, but too many companies have not yet established teams that draw from all relevant groups. “GDPR affects the whole organization, but it is often siloed into one department, such as legal, IT, or risk management,” says Brown. The ability of an organization to engage stakeholders across the organization is a critical success factor, he contends. Team members should be drawn from sales, marketing, human resources, accounts payable, operations, IT, and security. “But,” he says, “few companies are doing this.”
5. Customer relationship management. Your company’s customers will soon have control over data in your possession that pertains to them. That means a new approach to managing customer relationships is needed. “Your customer-facing staff will require education and training in the processes and tools to deal with privacy,” says Martin. He notes two key tenets of GDPR that could prove problematic. First, explicit consent over the use of data such as cookies must be granted by data owners. This will be difficult and costly for large organizations with hundreds of thousands of customers. Also, companies may struggle with the right to be forgotten, which means companies must ensure information is completely removed when a customer demands it. Repeating this process in a verifiable way for thousands of customers could prove beyond the capabilities of some companies, Martin says.
6. Hiring a data protection officer. To ensure accountability, GDPR mandates companies hire or appoint a data protection officer (DPO) to be responsible for compliance and serve as the point person for contacts with EU auditors. The new DPO may require training and will need to communicate with many other corporate officers and managers. One solution that could lessen costs is to retain a third party to act as DPO.
7. Crisis management. Compliance with GDPR could result in several different kinds of emergencies, for which organizations should prepare. In the case of a breach, data owners must be notified within 72 hours, as mentioned. Demands from citizens for their data, as well as lawsuits by parties against organizations that are deemed uncooperative, could give rise to a chaotic scramble and spiraling costs unless a team is organized ahead of time, knows its responsibilities, and meets regularly to ensures readiness.
8. Lawyers. With GDPR a looming reality, organizations need to understand their enforcement risks. “It’s a legal document. Every organization must get legal advice,” says Jan De Clercq, security CTO at HPE Pointnext. Expert legal counsel is needed to help focus an organization on the risks that are most urgent, and of course, legal representation will be required in the event of an enforcement proceeding. The services of lawyers are never inexpensive, and this is a new field in which expertise could command a premium.
9. Living the GDPR. It’s one thing to get ready for the May 2018 deadline, but another to live life under GDPR in the years ahead. “Privacy by design” is the approach needed to manage data effectively under GDPR. That means engineering data collection processes from the ground up to be compliant. This includes running a privacy impact assessment on data to assess the risks it poses. You’ll also need to take care when transferring data outside the EU, so that it does not travel into an environment where data is less protected. And you’ll need to keep detailed records of your actions to satisfy any regulatory audits.
10. Waiting until the last minute. Biding your time might save money in the short run, but when you are rushing close to deadline, you will find it difficult to get experts on the phone, and the cost of doing everything is likely to be higher. If you are not taking action because you think the GDPR does not apply to you, see No. 1 above.
And the upside is?
Given the daunting list of risks, requirements, and hidden costs, could there possibly be an upside to GDPR? Experts say there are several. Getting your act together with regard to data management, particularly the unification of customer records, could pay significant dividends.
“It’s a great opportunity to put customer-related data in order—to get clear insight on where data is stored and how it is protected,” says De Clercq. “This is data that’s already being gathered about the behavior of consumers on websites, but in many cases, companies don’t really know or care where it is stored or archived.” When you have a handle on your data, you can subject it to big data analytics to derive insights as to consumer preferences for marketing purposes. But of course, the data must be handled within the constraints mandated by GDPR. One of those dictates is not to use data for a purpose that is incompatible with the purpose for which it was gathered.
In addition, companies that comply with GDPR are likely to bolster data security in beneficial ways, says Martin. “The deployment of a cross-corporate data encryption solution will support GDPR but also protect data that is sent outside the boundaries of the organization in a public cloud or is stored in a big data platform,” he says. Overall, Martin contends, meeting GDPR’s guidelines will cause companies to significantly reduce their risk of a data breach.
Not to be overlooked, compliance itself is an accomplishment that impresses customers with your competence and good intentions. “GDPR compliance can be seen as a differentiator by customers and can increase brand loyalty,” says Martin.
Finally, being prepared will pay off should the day come when you have to get the bad news of a breach out to many people very quickly. “This is the moment of truth, and regulators will expect to see an affected company deal with the situation in a planned and organized way,” says Brown. Brown and others agree that making a demonstrably strong effort will go far to impress regulators, who are likely to target the negligent with the toughest fines and could well be lenient toward companies that are taking GDPR seriously.
GDPR: Lessons for leaders
- Never assume. There’s a good chance GDPR affects you, even though you might not think it does. Most companies have some interaction with European customers even if they don’t have operations there. That probably means you.
- Get the technology you need. Many companies will face a rude awakening when they find out the work needed to know what data they have where, and which data is PII. Data profiling and mapping technology are a worthwhile investment.
- Build a team. You’ll need many stakeholders working together to achieve compliance and respond to any crises that may arise. A key team member will be your new DPO.
- Look for an upside. You’re embarking on a major project and should look for ancillary benefits, like identifying useful data for big data analytics as well as eliminating useless data. Cheer up. Demonstrating ROI will help get funding for the whole initiative.
- Do the best you can. Even if you miss the deadline and are noncompliant in some ways, if you are working diligently toward GDPR compliance, there’s a good chance regulators will take that into account.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.