When it comes to attaining readiness for General Data Protection Regulation (GDPR) the clock is ticking. The GDPR is a set of regulatory mandates (Regulation (EU) 2016/679) that seek to shore up and streamline data protections for citizens within the European Union, including providing residents control over data about them and limiting exports of such data outside the union.
After four years of deliberation and a 24-month transition period (following the passage of GDPR in April 2016) the mandates go into effect on May 2018 — roughly 10 months away. That may sound like a lot of time, but it’s not and many organizations will find themselves struggling to comply. And it’s important for them that they do bring themselves into compliance.
While many fines on organizations for data breaches seem tame, they certainly don’t have to be tame when it comes to GDPR violations. Penalties stemming from non GDPR compliance can total a staggering 4 percent of a company’s global annual revenue. Requirements include that data be protected adequately, and when breaches do occur organizations had better have notification capabilities in place that align with GDPR requirements.
For public companies, a shave of 4 percent off their annual revenue would result in a tremendous hit to their stock share price as it would likely force misses on previous long-term earnings per share projections. Not good.
Consider this: In the Wall Street Journal story, Survey Roundup: GDPR a Work in Progress for Firms a survey of 550 IT security and compliance professionals by Experian Data Breach Resolution and the Ponemon Institute found a staggeringly low 9 percent of companies reported being prepared for the GDPR regulations and 32 percent don’t even have a plan in place now t get compliance.
So how do organizations get into GDPR compliance? The first thing them need to do is identify any data that falls under GDPR control. This includes personal data that EU organizations collect and manage as well as any international companies that operate in the EU and hold such data.
Second, document how this data is secured. It’s already secured, right? If not, then read the documentation guidance here as the very beginnings of a to-do list. Organizations need to document where their regulated data resides, how it’s protected, who has access and how that access is determined and managed. The breach response plan needs to be comprehensive, ready, and well-practiced. Further, how data is governed over time needs to be set forth and managed. For instance, as new data is collected, it needs to be determined whether this data falls under GDPR regulatory mandates. How contractors and other third parties handle this data needs to be decided as well.
That’s just how data is secured. Policies need to be created around privacy rules and how privacy is designed, and how will data privacy rights – such as right to be forgotten – be met?
Finally, enterprises have to make sure in addition to security and data governance to support data privacy, they have to have the legal, human resources, insurance, PR and communications plans in place around applicable facets of GDPR. It’s certainly not an easy road to compliance.
Of course, this is why research firm Gartner estimates that by the end of 2018, a full seven months past the deadline, at least half of all companies that need to comply with GDPR by May 2018 will still not have brought their organization into full compliance.