On the Ninth Day of Christmas, the Industry Predicted…GDPR Compliance

Deck the halls with boughs of money, tra la la. Why boughs of money? If you suffer a data breach after June 2018 you could face a fine of up to €20 million or 4% of your global annual turnover for the preceding financial year, whichever is the greater. So if data security is not your thing, best enjoy the cash while it is still in your possession.

Of course this is a 2017 prediction and I’m well aware that the General Data Protection Regulation (GDPR) does not come into force until 25 May 2018, but with 526 days to go, 2017 is the final full calendar year to achieve compliance and predictions seen by Infosecurity show that it is a case of now or never for your preparations.

Quentyn Taylor, director of information security at Canon Europe, said that 2017 will see operational changes taking place in preparation, the biggest being the relationship change between suppliers and businesses.

Taylor, who previously told Infosecurity that “GDPR affects you if you are alive and on planet earth”, said that with the GDPR, as data processors will have similar liability as data controllers for data protection, this is a business process that the industry must work to overcome, whether through adapting business models or changing pricing structure to reflect the impact the regulation will have.

“In addition boards will start to take data protection seriously – something that too many have failed to do thus far,” he said.

In agreement was Steve Holt, partner in the Financial Services Advisory at EY, who said that he is working with a number of organizations and responding to lots of requests for help, and the current position is that many organizations haven’t got the right governance in place and haven’t got the program clearly defined.

He also said that many organizations have got gap assessments underway, but still haven’t got a handle of the scale of change needed. “In many cases, the program is being led by legal teams,” he said. “Our view is that it needs board sponsorship, and led with a cross-functional approach. In many cases, we believe the COO is better placed to drive this transformation program given the importance of data, systems, business process, etc.”

Holt also said that there are lots of ‘grey areas’ in the regulation and some organizations are not making a decision and awaiting further clarification from regulators. “However, this is unlikely to come soon – so it’s important that organizations make a few assumptions and decisions, so that the program can move forward,” he said.

“There’s probably a conversation to be had at board level as to whether GDPR compliance is achievable by May 2018. We have a view that many global organizations won’t be fully compliant, so it’s important to discuss this openly with the Board and to prioritize focus.”

Jonathan Armstrong, partner at Cordery, said that its GDPR readiness test suggests that no-one is ready, and there are really some very low scores – including people not having done things the existing law requires. 

Armstrong said: “My gut feel is many people are leaving themselves exposed – there are only 526 days left and for most businesses there’s still a lot to do. We’ve found that GAP analysis is not enough for GDPR as many do not comply with the existing law.

“Either 2017 is going to be hard work for most, or they won’t be ready for 2018 and the new regime.”

He said that ideally at this stage, most businesses should have basic building blocks in place including: a process for handling a data breach and a fit-for-purpose privacy policy, while Holt recommended establishing a clear governance structure for GDPR change that needs to cover all aspects of the business (e.g. business, HR, compliance, legal, IT, marketing, operations, procurement). He also recommended performing a clear assessment and gap analysis of their current state vs GDPR compliance to help them establish a future vision/strategy.

GDPR may be 17 months away, but we’re all too aware that time can disappear under us so predictions that 2017 will be the year of GDPR compliance preparation will likely be correct.

>> On the First Day of Christmas, the Industry Predicted...More Ransomware

>> On the Second Day of Christmas, the Industry Predicted…Poor Routine IT Practices

>> On the Third Day of Christmas, the Industry Predicted…More Political Disruption

>> On the Fourth Day of Christmas, the Industry Predicted…CIOs to Reclaim Ownership of Data Initiatives

>> On the Fifth Day of Christmas, the Industry Predicted…More Social Media Attacks

>> On the Seventh Day of Christmas, the Industry Predicted…More Mention of AI

>> On the Eighth Day of Christmas, the Industry Predicted…Attackers Making Money

>>On the Tenth Day of Christmas, the Industry Predicted…Cloud Vendor Compromise

What’s Hot on Infosecurity Magazine?