We're at less than a month before the EU General Data Protection Regulation (GDPR) regulations go live and global readiness still lags considerably. Companies around the world are in varying states of compliance, with a fair number of organizations out there that still haven't even stepped up to the start line of their GDPR compliance journey.
As Pierre-Luc Refalo, global head of strategic consulting and GDPR offer lead for Capgemini, put it at RSA Conference a few weeks ago, his firm is still fielding panicked calls from companies seeking guidance on how to get started with GDPR compliance.
"There are companies one month before the deadline who have done nothing and they call us to ask, 'Can you help?'" he says.
This anecdotal evidence is backed up by study after study that have all offered the same resounding conclusion. Namely, that half of global companies won't be ready for GDPR authorities when they start knocking on doors on May 25.
Refalo's presentation at the RSAC GDPR Summit underlined the warning that GDPR is no academic exercise. Unlike a lot of toothless regulations of years past, GDPR poses some very real and significant financial repercussions for non-compliant firms. The hits will come on four major fronts.
- Reputation Damage
- Cease of Data Processing
- Class Action Lawsuits
Fines: The first most obvious will be the stiff fines that GDPR Data Protection Authorities (DPAs) are approved to levy. The most egregious offenders can expect to pay either €20 Million in fines or 4% of total revenue or turnover--whichever sum is greater. And Refalo said that the little guys who are operating under the belief that they can fly under the radar could end up paying the biggest price.
"I know firms with 1,000 to 2,000 employees that process tens of millions of pieces of personal data and their turnover is not taht high," he says. "But their risk based on volume of transaction is fantastic. If you (figure) €50-€70 per record breached, for a company the fines would mean the company is dead."
Reputation Damage: The abiding principle behind GDPR guidance and enforcement is the tenant of transparency, said Refalo. Some of the biggest worries that organizations face are not necessarily even the fines that come from GDPR non-compliance, but the bad publicity that could arise from GDPR sanctions.
"People are worried about having their name in the papers if they're breached," he said.
And make no mistake, this will not be the type of regulation where an organization gets a quiet slap on the wrist.
"If your organization fails to meet the requirements of the GDPR, it will become a very public affair," warned Todd Wright of SAS recently. " Not only will your existing customers hear about the violation, but those that might have considered doing business with you in the future will know as well.
Cease of Data Processing: On top of everything else, GDPR regulators can also have the power to shut down data processing operations until an organization is compliant. This could have exponentially more financial impact than fines, particularly if that processing is wrapped around revenue generation.
"What if I have to stop my processing? I won't say fines are not important, but for the business that’s far more important," Refalo said.
Class-Action Lawsuits: Finally, one additional risk of financial damage that could be coming down the pike is that of class action lawsuits, explained Ilias Chantzos, global and privacy advisor government affairs for Symantec, who chaired the summit that Refalo spoke at.
"Bear in mind that your risk in GDPR has slightly changed because the European commission announced it will allow for class actions under GDPR," he says. "This will need to go through an adoption process that will take a couple of years. It is something that will be rolled out at a future date but it is something you'll need to bear in mind. "
While there are clear guidelines to direct DPAs in determining sanctions against non-compliant firms, there is some degree of discretion in the process---a process that Refalo says will be transparent. The point here is that even if an organization is not completely compliant there is room to minimize the damage should action be taken by the regulators against you.
Rather than throwing their hands up, organizations that haven't done much to get ready should recognize that there's no time like the present to start moving forward.
If there's one short-term step that organizations can take to do GDPR damage control it is to start by improving organizational processes. This will be a way to show the regulators the business is making a good faith effort to do something. This should be carried out on four major front, says Refalo:
- Hire a Data Privacy Officer (DPO) and demonstrate your documentation
- Establish data protection registration management
- Document processor and third-party management
- Establish breach management and reporting procedures
"If you do these four points, you're not in bad shape," he says. "It's not perfect, because you still have all the rest but it is a good start."
The critical thing to remember is that the act of compliance is a continuous one.
"May 25 is just the beginning," he says. "You have to be sure you run your GDPR compliance operation, too."