The Information Security Forum (ISF) considers the General Data Protection Regulation (GDPR) to be the most noteworthy shake-up of global privacy law in decades. Not only does it redefine the scope of EU data protection legislation, it forces organizations globally to comply with its requirements.
The regulation officially goes into effect in May of 2018 and will have an international reach, affecting any organization that handles the personal data of European Union (EU) residents, regardless of where it is processed. Many U.S.-based organizations will fall under GDPR’s purview. In fact, few organizations will be able to completely avoid the requirements.
The GDPR adds another layer of complexity to the issue of critical information asset management that so many organizations are already struggling with. The GDPR aims to establish the same data protection levels for all EU residents and will focus on how organizations handle personal data. Businesses face several challenges in preparing for the reform, including a widespread lack of awareness among internal stakeholders. The additional resources required to address the obligations are likely to increase compliance and data management costs while pulling attention and investment away from other important initiatives.
In the longer term, organizations will benefit from the uniformity introduced by the reform. If GDPR means companies no longer have to circumnavigate the current array of often-contradictory national data protection laws, compliance costs and activities may decrease once past the initial implementation and transition period. There will also be worldwide benefits as countries in other regions dedicate more attention to the defense of mission-critical assets and personal data privacy.
The GDPR has the potential to serve as a healthy, scalable, and exportable system that sets an international benchmark for sustainable online commerce and communication. But first, companies need to understand the nuances of their obligations under GDPR and carefully examine and test their preparedness. The results of recent surveys (e.g., PwC, Veritas, and Compuware) about GDPR readiness indicate that organizations are overly optimistic about their compliance with major provisions of the pending regulation, particularly the requirement to report data breaches within 72 hours of awareness.
Understanding the consequences of non-compliance
Most countries, including all EU nations, have established supervisory authorities to oversee the use of personal data. These supervisory authorities are government-appointed bodies that have powers to inspect, enforce, and penalize the processing of personal data. In the United States, a number of authorities enforce data protection requirements under the sectoral approach, most notably the Federal Trade Commission (FTC), which has substantial regulatory powers.
The GDPR aims to establish the same data protection levels for all EU residents and will focus on how organizations handle personal data. Businesses face several challenges in preparing for the reform, including a widespread lack of awareness among internal stakeholders. The additional resources required to address the obligations are likely to increase compliance and data management costs while pulling attention and investment away from other important initiatives.
Supervisory authorities are granted investigatory powers by the GDPR, allowing them to investigate any complaint they receive through a variety of measures such as audits, and reviews of certifications and codes of conduct. Complaints may be received not only from the data subjects themselves but also from any organization or association that chooses to complain or has been chosen by a data subject to represent their interests. These complaints can be submitted to any supervisory authority, not just the authority with territorial responsibility.
If an organization is found to be infringing the requirements of the GDPR, supervisory authorities have a variety of corrective powers from which to choose. These include the ability to issue warnings and reprimands to controllers or processors, but also far more substantial powers. Authorities can compel an organization to process data in certain manners or cease processing altogether, and can also force an organization to communicate data breaches to affected data subjects.
The time to prepare is now
No organization that operates on a global footprint of suppliers can afford not to prepare for changes that will result from new GDPR compliance rules. Falling out of compliance with data regulation can really hit you in the pocket. The checklist of rules requires extreme preparation and responsibility, all of which must be shouldered by the individual organization; relying heavily on government or regulators for help is imprudent.
The GDPR is putting data protection practices at the forefront of business agendas worldwide. For most organizations, the next year will be a critical time for their data protection regimes as they determine the applicability of the GDPR and the controls and capabilities they will need to manage their compliance and risk obligations. Because of the effort required to report data breaches, it is essential that organizations prepare in advance.
Executive management will be responsible for ensuring that an organization meets its legal obligations to implement the GDPR’s requirements. A Data Protection Officer (DPO) should be designated to act as a focal point for ongoing data protection activities. An organization’s governance functions, including information security, legal, records management, and audit should ensure they are familiar with the requirements of the GDPR and have the necessary people, processes, and technical solutions in place to achieve compliance.
With reform on the horizon, organizations planning, or already doing business in Europe, should get an immediate handle on what data they are collecting on European individuals, where it is coming from, what it is being used for, where and how is it being stored, who is responsible for it, and who has access to it.
Optimally, an organization should complete GDPR preparations well before May 2018 in order to leave time for requesting and responding to third-party (processor) assurances. These activities require resources with the expertise and time to assess contracts and data impacts, issue assurance requests, and process responses. Data protection, legal, and information security teams should plan for this task so that they are not overwhelmed with requests closer to the enforcement deadline.
The GDPR raises the stakes; players who want to stay at the table come next year must have their data management affairs in order. Those caught unprepared will be scrambling, vulnerable, and poorly positioned against better-organized competitors.
About the Author
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.