by Steve Durbin, Managing Director, Information Security Forum
If your U.S.-based business deals with customers, employees or contractors in the European Union, the clock is ticking for you. On May 25th, the EU’s General Data Protection Regulations (GDPR) goes into effect.
It will affect you no matter if you have an actual presence in Europe or not.
At the Information Security Forum (ISF), we consider GDPR to be the most extensive overhaul of global privacy law in decades. It fundamentally redefines the scope and application of EU data protection legislation.
GDPR compels organizations worldwide to comply with its requirements — or face stiff fines and penalties. The regulation affects any organization that handles the personal data of European Union (EU) residents, regardless of where the data is processed.
Many US-based organizations are obliged to comply with the new standards. Given the global nature of e-commerce, cloud services, and communications platforms, few organizations will be able to completely avoid the requirements.
Is your organization GDPR-challenged?
Many organizations are already wrestling with various challenges around critical information asset management. GDPR standards for the handling of EU residents’ personal data add another layer of complexity.
Businesses are encountering many difficulties as they prepare for the May deadline, often due to a lack of awareness among internal stakeholders. Addressing the obligations will likely cause compliance and data management costs to increase.
In many cases, it will be necessary to pull resources and attention away from other critical efforts in order to ensure that processes and plans required by GDPR are implemented in time.
How U.S. companies will benefit from GDPR
The good news is that, in the long run, U.S. organizations will benefit as much from the uniformity in data and privacy protection introduced by the reform as will their European counterparts.
Three reasons why GDPR will benefit American business:
Companies should be able to bypass the current array of (sometimes contradictory) national data protection laws as long as they fully comply with GDPR.
Compliance costs and activities may decrease once the initial implementation and transition period is complete.
There will also be more general benefits to businesses and consumers as countries in developing regions are driven to focus more attention and resources on defending mission-critical assets and personal data privacy.
By setting an international benchmark for sustainable online commerce and communication, the GDPR could potentially serve as a healthy, scalable and exportable model for data security and consumer privacy protections.
Overconfidence and non-compliance have consequences
It is paramount that companies work to understand the nuances of their obligations under GDPR and carefully examine and test their preparedness.
One example frequently cited is the requirement to report a data breach within 72 hours after the organization becomes aware of it. This poses a particular challenge because numerous processes, controls, and incident response assignments must be in place to fulfill this rule as outlined in the legislation.
According to a 2017 PwC Pulse Survey report, nearly a quarter of respondents (U.S. multinational corporations) had not yet started preparing for GDPR. Most respondents (71%) were in the midst of implementing enhanced information security, updating privacy policies, and conducting data discovery and GDPR gap assessments.
Only 6% of respondents reported to have their GDPR preparations completed.
In most countries, established supervisory authorities oversee the use of personal data. These government-appointed bodies have the power to inspect the processing of personal data and enforce standards through penalties and injunctions.
In the US, several authorities enforce data protection requirements, most notably the Federal Trade Commission (FTC), which has substantial regulatory jurisdiction.
The GDPR grants investigatory powers to supervisory entities, allowing them to investigate any complaint they receive through a variety of measures including audits and reviews of certifications and policies.
Complaints may be submitted by data subjects (or their chosen representative) or any organization that chooses to do so. These complaints can be submitted to any supervisory authority, not just the authority with territorial responsibility.
If supervisory authorities find that an organization is infringing on GDPR requirements, they can apply a variety of corrective powers. They can issue warnings and reprimands to controllers or processors, but also take far more substantial measures.
Authorities can compel a business to process data in a certain manner or cease processing such data altogether. They can also force a company to communicate data breaches to affected data subjects.
Time to complete the checklist
Any organization that operates on a global footprint of suppliers, partners, customers, employees or contractors should be preparing for the upcoming changes right now.
Those who ignore the GDPR requirements or fall out of compliance risk very expensive consequences. The responsibility for making and testing preparations rest with the individual organization; ISF does not recommend relying on regulators for help.
For corporations worldwide, improving their data protection practices ranks at the top of their boardroom agenda at the beginning of 2018. GDPR is a main driver behind this development, fallout from Equifax’s massive global data breach, and widespread concerns over major new vulnerabilities like Meltdown and Specter converge.
The next three months will be a critical time for organizations to mature their data protection regimes, as they determine the applicability of the GDPR and the controls and capabilities they will need to manage their compliance and risk programs.
Organizations doing business in Europe (or planning to), should get an immediate handle on what data they are collecting on European individuals, where it is coming from, what they use it for, where and how they store it, who is responsible for it, and who has access to it.
GDPR preparations should be completed well before May 2018, to leave time for companies to request third party (processor) assurances, and to respond to them. Data protection, legal and information security teams should also plan for the related tasks, such as assessing contracts and data impacts, so that they are not overwhelmed with requests closer to the enforcement deadline.
Executive management will be held responsible for GDPR infractions
It’s important to note that executive management is responsible for ensuring their organization meets its legal obligations under GDPR.
A Data Protection Officer (DPO) should be designated to coordinate, lead, and evaluate ongoing data protection activities. Leadership should ensure they are familiar with GDPR requirements and have the necessary people, processes and technical solutions in place to achieve compliance.
All the usual maxims apply: failing to prepare is preparing to fail, a stitch in time saves nine, the early bird gets the worm, hope for the best but prepare for the worst.
Getting your data management affairs in order might be tedious and taxing — but resilient processes, controls, and incident response plans are increasingly critical to success in every industry.
Effective GDPR preparations will help your organization master the challenge of doing business on a global stage, earning and keeping the trust of customers and partners, and securing critical data assets.
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.