GDPR - Is your business ready?
Written by Michelle Stevens
It may be just under two years until the General Data Protection Regulation (GDPR) comes into effect across the EU, but businesses who are not preparing for this game-changing legislation now are already behind the curve, says Dana Louise Simberkoff, the Chief Compliance and Risk Ofﬁcer at AvePoint.
“When organisations hear that the GDPR will be in full force in two years, some make a note to themselves that they will look at it in 18 months and start budgeting for it sometime in 2017 or 2018. But if companies haven’t already started working on this then they are already too late,” Simberkoff explains. “It is a massive undertaking to shift a large business into a mindset where they not only know all the data they hold, but they control all the data they hold – and that’s not just data in their major IT systems, but every piece of personal information that the company creates, collects and maintains themselves, or shares with their partners, vendors and customers.”
The GDPR takes effect on 25 May 2018, giving organisations around 21 months to implement the necessary changes to their data protection compliance programmes, business processes and IT infrastructure. The law will require companies to ascertain speciﬁc consent on data collection from their customers; build in data protection when designing new products or services; implement and provide evidence of data protection programmes, privacy assessments and data inventories to regulators; oﬀer individuals ‘data portability’ capabilities; and report any data breaches within 72 hours.
And the stakes are high for noncompliance – with signiﬁcantly increased ﬁnes of up to four per cent of a company’s annual turnover. Businesses from outside the EU will also fall under the scope of the GDPR if they oﬀer goods or services to EU residents, or monitor the behaviour of people living in EU member states.
“If companies are not already thinking about how they are going to be aware of their data, hold it, maintain it and delete it, then they are going to be in for quite a big shock,” Simberkoﬀ continues. “And the penalties that are going to come to bear here are huge – four per cent of global annual revenue is a shocking number; what used to be ﬁnes for large companies in the millions could now potentially be in the billions. That is something that is going to get, and is already getting, board-level attention.”
Unlike the United States, current EU data directives do not speciﬁcally require the reporting of data breaches to authorities or the wider public – it is usually best practice (and brand damage limitation) to do so. “Now, every single breach of personal data that creates a risk to people will have to be notiﬁed and self-disclosed to EU state privacy regulators, as well as to the individuals concerned,” notes Bojana Bellamy, President of Hunton & Williams LLP’s Centre of Information Policy Leadership, a global think tank that works to enhance privacy and security policy, law and practice. “I think this will push organisations to think much more about their security measures to proactively prevent a breach, but also, if a breach does happen, about how they report it externally and manage the media, the investigatory forensics process and customer relationships aﬅerwards.”
Indeed, the new reporting obligations could give the impression that the number of data breaches has soared in the short term, Simberkoﬀ adds. “Realistically, I think as a result of this law we will see breach reporting in Europe sky rocket – not because those breaches weren’t happening before, but because they did not have to be reported. There has been a lot of attention on breaches at US companies and it is not necessarily because they are doing a poor job of securing their data, it is because they have to report them. It will become a question of not if but when you have a breach, can you demonstrate that you had controls in place to prevent it, you could find it quickly, respond to mitigate damage, and react swiﬅly to prevent ongoing issues?”
One consequence of the substantial data mandates of the GDPR will be a signiﬁcant rise in the number of privacy oﬃcers, Bellamy predicts, as organisations are compelled to implement robust privacy management programmes, with policies, procedures and training measures. “Appointing data privacy oﬃcers will be mandatory for the majority of organisations in the private sector, and all organisations in the public sector,” she explains. “So we are going to see this new breed of privacy oﬃcer, this new profession. The International Association of Privacy Professionals (IAPP) estimates that the GDPR will require 28,000 new privacy oﬃcers across Europe. We do not have that number of people at the moment to support this very specialist area of law, compliance and consumer information management.”
Ahead of the GDPR roll-out, AvePoint has provided IAPP members with a free Privacy Impact Assessment System resource, which has already been downloaded more than 3,000 times. The company and the Centre of Information Policy Leadership have also recently embarked on a survey of AvePoint clients and centre members to benchmark readiness for the GDPR across diﬀerent industries and diﬀerent sized ﬁrms. Preliminary results reveal that overall, 76 per cent of businesses feel that the new legislation will result in signiﬁcant changes to their privacy management operations.
But despite the new onus that the GDPR places on companies, the growing volume of customer data is also an opportunity for companies, says Simberkoﬀ. “What I think is best practice under GDPR ties to really good data lifecycle management within a business. So to a great extent GDPR actually quantiﬁes what companies already should be doing, and it is a chance for companies to clean up their practices and put some good data management programmes in place,” she concludes. “Under this new law the data that you hold can either create the greatest risk or the greatest opportunity.”