On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will go into effect, establishing uniform laws across the EU that protect the data privacy rights of EU citizens. This standardization serves as a potential boon to organizations operating across multiple EU member countries, reducing the complexity of compliance by ensuring that a single set of legal processes and rules will apply regardless of location. At the same time, GDPR requires thoughtful action on the part of any organization doing business with citizens of EU member countries, in order to adapt data handling practices to comply with the new legally enforced standards. The specific obligations of GDPR should be top of mind for organizations as they adapt their solutions and practices to implement more secure cross-border data sharing and customer privacy protections.
GDPR provides a host of new guaranteed rights data subjects (the individuals whose personal data organizations retain), including: the right to be notified if a data breach reveals their information, the right to access their own personal data, the right to be forgotten, and the right to data portability. Organizations must utilize systems that provide privacy by design, and must also develop a comprehensive data privacy strategy – one that provides a full understanding of where data resides and effective measures for remediating data risks. Businesses with more than 500 employees have the added requirement of employing Data Protection Officers to oversee data privacy and expedite all incoming data-related requests.
Organizations operating under GDPR are certainly incentivized to comply – not doing so could lead to crippling fines. In cases of severe non-compliance, the EU has the power to enforce penalties of up to 20 million Euros or 4% of the organization’s total worldwide revenue for the previous financial year – whichever is greater. Even cases deemed less egregious can result in fines reaching the greater of 10 million Euros or 2% percent of total worldwide revenue over the previous fiscal year.
Given the immensity of these fines, organizations will find it well worth their while to invest in a technological strategy required to achieve GDPR compliance. In fact, IDC predicts that organizations will spend an estimated $3.5 billion USD on upgrades to data security and storage solutions due to the upcoming regulation enforcement. Even accounting for this massive investment, Gartner believes that by the end of 2018 more than half of organizations covered by GDPR will still not be fully compliant.
To successfully prepare for GDPR, organizations need to establish a solid foundation for achieving compliance ahead of selecting vendors to provide the needed technology. Most critically, all existing data stores and all new processes and responsibilities under GDPR must be thoroughly understood in order to then correctly apply solutions and effectively execute data security measures.
Businesses can put these preparations into effect by following these five steps:
1. Read the regulation
An organization must begin by developing a full understanding of what GDPR requires of it, given the specifics of the organization’s business practices. It is vital to recognize that GDPR absolutely applies to any organization operating anywhere in the world and regardless of where data is stored, so long as it retains any information where EU citizens are the data subjects.
2. Assess existing processes
With the scope of the organization’s needs understood, audit existing processes and perform a gap analysis. Doing so will further delineate where new processes and personnel are needed in order to improve practices and achieve GDPR compliance.
3. Evaluate existing technology
Investigate the organization’s technology requirements to understand which current solutions that will need to be reapplied, upgraded, or replaced. For example, departments such as legal, HR, information security and others may have existing systems transferring protected data between countries. Technologies may also already be in place to meet the standards of other regulatory mandates, such as PCIDSS or HIPAA HiTech. The operations of these existing solutions must be thoroughly understood – especially when it comes to the flow of data and how it is used. A full knowledge of these technologies may bring up opportunities to leverage existing solutions for GDPR compliance, and will expose all technology gaps that need to be filled.
4. Identify new technology to fill gaps
Now determine what type of technology is required to fill any gaps against outstanding data security, data auditing, and data privacy needs. The task of meeting GDPR’s data discovery and incident detection and response requirements will likely require organizations to implement new technology solutions. This complexity is matched by the challenging nature of managing data risks within elaborate business processes. To meet this challenge, an organization must identify and address any vulnerabilities or blind spots. For instance, an organization may be well-equipped with technology to process credit cards securely, but internal operations may have individual employees copying, printing, and transferring data without the assistance of proper technological safeguards. It’s all too common for organizations to be unaware of such risks to data – which is why a careful gap analysis and process mapping are so crucial.
5. Continuous testing
Finally, establish the steps above as an ongoing regimen in order to receive continual insights that can inform process improvements. Organizations change over time, and maintaining a full knowledge of where and how data is stored and accessed is essential to continuous compliance. A business must be ever-watchful and certain that best practices aren’t abandoned with time, and that protected data never passes through systems that haven’t been carefully secured. Incident response processes should undergo periodic testing and be the subject of ongoing reporting, so that breach preparedness is assured.
At a time when data security measures must cope with attacks that are increasing in their volume and sophistication, GDPR requires organizations to execute a comprehensive strategy to protect data privacy. Given GDPR’s substantial penalties for non-compliance, as well as the business advantages of keeping sensitive customer data secure from breaches, organizations affected by GDPR have every incentive to fully understand their processes for handling data, implement robust and effective measures, and stand prepared well ahead of May 2018.