As you’ve discovered if you’ve been wading through GDPR preparations for the past year or so, this is not a set-it-and-forget it regulation. With its focus on individual data privacy rights, it represents an ongoing commitment to protecting sensitive data, providing data subjects with access and control over their information, and continuously monitoring and improving all parts of the data ecosystem.
The Upside
The GDPR affects any organization that handles the personal data of European Union (EU) residents, regardless of where it is processed. The rules add another layer of complexity, not to mention potential cost and associated resources, to the issue of critical information asset management that so many organizations are already struggling to address.
However, organizations will benefit from the uniformity introduced by the reform and will evade having to circumnavigate the current array of often-contradictory national data protection laws. There will also be worldwide benefits as countries in other regions are dedicating more attention to the defense of mission-critical assets.
At the Information Security Forum (ISF), we believe that the GDPR has the potential to serve as a healthy, scalable and exportable regime that could become an international benchmark.
Leading organizations are looking beyond compliance, by extending the breadth of GDPR compliance programs to leverage additional benefits. Examples include:
- Consolidating activities into broader information governance programs
- Embedding information security into the design of business applications and technical infrastructure
- Improving data protection and privacy practices
- Extending information security’s reach within the business
Next Steps
So, what should your organization be doing now that the deadline has passed and the heat is on? First, figure out where all your customer (individual) data is. Second, conduct a gap analysis. If your company is not in good data shape, you must identify the key areas that require assessment and remediation, and tick those off your list as quickly and thoroughly as possible.
You should aim for complete visibility in to your current state and a detailed plan for what you want to achieve and how to move expeditiously toward those goals. Set up regular review processes, document all efforts, and make sure that all stakeholders are on board and understand the rules and the consequences of not following them.
For companies that have been working diligently on preparations and are essentially compliant, this is the time to focus on the finer points of the regulation (e.g., data subject access procedures), and to put policies and processes in place to ensure that the ecosystem of service providers, vendors, and partners can be managed in a comprehensive but streamlined manner.
Consequences
May 25 was the starting line, it’s important to remember that we never know which way regulators and legislators are going to go until they act. Also, data breaches can happen anytime, to any company. Now is a bad time to bet that GDPR enforcement won’t affect your organization.
In the event of a complaint, breach, or audit, information commissioners will not tolerate “I didn’t know” or “I’ll have to look into it” as answers. You have to know and have to be confident that you have the right processes in place, and you have to be able to defend them as being reasonable and compliant.
Supervisory authorities are government-appointed bodies that have powers to inspect, enforce, and penalize the processing of personal data. Supervisory authorities will investigate any complaint that they receive through a variety of measures such as audits, and reviews of certifications and codes of conduct.
Complaints may be received not only from the data subjects themselves but also from any organization or association that chooses to complain or has been chosen by a data subject to represent their interests.
These authorities have a variety of corrective powers from which to choose, including the ability to issue warnings and reprimands to controllers or processors. Far more substantial powers include compelling an organization to process data in certain manners, or cease processing altogether, as well as forcing an organization to communicate data breaches to the affected data subjects.
No organization that operates on a global footprint of suppliers can afford to be negligent or falling behind on GDPR compliance. The checklist of rules requires extreme preparation and responsibility all of which must be shouldered by the organizations. GDPR affords individuals new and enhanced rights and freedoms and holds organizations responsible for enabling them Especially for U.S. companies, there’s not much help to be found through government or regulatory agencies. This is a risk best managed by establishing an enterprise-wide GDPR program.
The Big Picture
GDPR and related events (e.g., the Facebook debacle) offer a compelling opportunity — the perfect set-up for inspiring everyone in the organization to participate in the discussion and work around data privacy protections. Just as with security awareness and cyber hygiene, every employee should consider protecting data to be their individual responsibility.
Everyone needs to understand the GDPR requirements and consequences, the importance of following related policies and procedures, and the imperative of assessing and monitoring third parties.
We recommend proactive education on these topics and audits to gauge how successful those efforts are; building a corporate culture that prizes and respects data privacy will pay dividends for years to come.
While every organization should judge the risks and rewards of its own data protection investments, the GDPR offers a unique opportunity to translate necessary compliance actions into tangible business benefit. Structure your GDPR programs to exploit these opportunities and develop the resilience and capabilities to meet future regulatory challenges, consumer expectations, partner requirements, and threats.