Time is running out. The warnings are everywhere. After a two-year transition period, the European Union’s General Data Protection Regulation will be in full force beginning May 25th, 2018. The focus of most communications related to GDPR is on the requirements themselves and the significant financial penalties that companies may be subject to if they fail to comply. It starts with this, but what you may be missing is that GDPR is a significant opportunity for achieving business advantage. Companies that can better respond to the requirements of GDPR, and that can do this faster than their competitors, have a tremendous opportunity to build more trust with customers and a more positive business reputation, which will translate to increased customer preference – and that means a better bottom line. So, what are you waiting for?
At its core, GDPR is a about the privacy rights of individuals (which for you likely means customers) – rights around the control, use and protection of Personally Identifiable Information (PII). GDPR is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizen’s data privacy and to reshape the way that organizations approach data privacy. But do not make the mistake of thinking that this is only for European companies. It applies to ANY company that is processing, holding, or making decisions on the purpose and use of any personal data of EU citizens who reside in the European Union – regardless of the location of the company or the company’s service providers (e.g. cloud services or external data centers).
Overall, most organizations are aware that they have data that will be impacted but there is still a lot of uncertainty about how specifically the complex requirements of GDPR may apply to their businesses and this is holding back planning efforts.
- 94% of US CIO’s are aware that they have data that is impacted.1
- Only 60% of U.S. respondents though have plans in place to respond to the impact that GDPR will have on how they handle customer data.2
- Only 19% of UK companies have such plans prepared.3
The full scope of the requirements for the new GDPR can be found at the EU’s own GDPR portal (http://www.eugdpr.org/). There are essentially 8 key high-level requirements:
- Consent for use – consent must be as easy to withdraw as it is to give.
- Right to access – right to know if personal data is used and to get a copy from the data controller.
- Data portability – subjects can obtain/reuse their data by transferring it across IT environments.
- Right to be forgotten – when no longer relevant, data subjects can have data controllers erase their data and stop its dissemination.
- Security of processing – processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized processing and against accidental loss, destruction or damage using appropriate technical or organizational measures (integrity and confidentiality).
- Privacy by design – include data protection from onset of designing systems, products and services.
- Breach notification – must notify their data controllers and country data protector regulators within 72 hours.
- Data Protection Officers – professional officers appointed in large orgs (250+ employees) to systematically monitor or process personal data.
All of this is made more complex as digital business transformation continues to lead to more diverse, heterogeneous IT ecosystems that include physical, virtual, and cloud infrastructure encompassing mobile, distributed and mainframe computing resources. Companies, and IT organizations within those companies, must define and maintain effective security, governance, compliance, and recovery practices across all of their heterogeneous cloud and on-premises infrastructure in order to not be in violation of the new GDPR standards.
Consequences of Non-Compliance
Failure to meet the requirements across all of these environments can result in a number of significant consequences:
- Penalties of up to 4% of annual revenue or €20M – whichever is higher for most serious infringements.
- Tiered fines of up to €10M or 2% of revenue (whichever is greater) for smaller infractions.
- Exposure to the potential of class action lawsuits from end-users whose data has been impacted.
- Risk of lost customers, lost revenue, and damage to the corporate brand/reputation.
In order to address these requirements within today’s IT ecosystem the following capabilities are critical:
- Visibility. Visibility into all of your data center, public cloud, and private cloud assets is a must. To meet the needs of GDPR, IT needs the tools to implement ongoing discovery processes in order to know with confidence where sensitive customer data resides, where and how it is being processed, and by whom.
- Security. The activities of security, operations and development teams must be aligned to maintain security and compliance. Security blind spots must also be identified. The right solutions are needed to analyze and prioritize security threats, automate remediation, and reduce the cost of continuous compliance.
- Integrity. With GDPR, data needs to be available with integrity. IT must monitor and ensure that data integrity, validate structured and unstructured data automatically, and ensure that stored data is intact.
- Recovery. Organizations need to ensure that data is recoverable in a timely manner in the event of any physical or technical incident. The recovery requirements are best met with tools that can automate and simplify recovery tasks and provide a backup and recovery solution that can estimate, simulate, and prove your recovery in a timely manner.
Concerns over the impending effects of GDPR are evident. GDPR is wide-reaching and will have many effects on business processes worldwide in the next few years. Companies should prepare themselves for the shifts in requirements sooner rather than later. In fact, doing so sooner than your competitors can be a differentiator. GDPR presents an opportunity to upgrade your security and data management practices. Doing this right, doing this quickly, and doing this with transparency to your end customers will enable you to better align your business execution to those customers and will help to build greater relevance and trust for your brand. Business after all is about focus on the customer. If your company has a more positive reputation relative to data privacy, customers are likely to demonstrate a preference for your company even when there are other businesses that offer similar products or services at different prices. Customers are also much more likely to engage with your marketing efforts when they know that those efforts are aligned to explicit permissions that they have granted around who can use their data, what data can be used, and how it can be used.
The requirements and opportunities of GDPR will require strong processes, ‘state of the art’ tools to deliver on the required capabilities, and strong partnerships. Beat the countdown clock to implementation now and get a jump start on your competition.
For additional information on what you can do to be prepared for GDPR, check out these resources:
- When Timing Is Everything — Integrating SecOps with Operations, Development and ITSM
- Insider Threats: The Good, the Bad, and the Ugly
- The Future of Ransomware
- How to Make WannaCry a Non-event: Ransomware’s Got Nothing on Us
- 10 Surprising Findings about Operationalizing Security