We’re three months into the European Union’s implementation of the General Data Protection Regulation (GDPR), and many companies are still struggling with how best to comply with the new rules.
This is not surprising given that a survey conducted shortly before the enforcement date during Donnelley Financial Solutions’ global Deciphering GDPR webinar revealed that 38 percent of companies believed they were “Not Very” or “Somewhat Not” prepared to be in compliance of GDPR by May 25. At the time, less than 20 percent believed their companies were “Very Prepared.”
We began taking steps over a year ago to ensure our own systems and processes were fully GDPR compliant. Surprisingly, nearly 30 percent of companies surveyed did not begin GDPR preparations until one month prior to enforcement. Only 19 percent began preparing for the extensive regulatory changes more than 12 months ago, and just 31 percent confirmed the appointment of a Data Protection Officer — a GDPR requirement — within their organizations.
GDPR impacts your business even if you don’t have operations in Europe. Any business processing the Personal Data (PI) for even a single customer who is a resident of the EU must comply with this comprehensive new set of regulations. PI can be anything ranging from a name, a photo, an email address, or posts on social networking websites, to medical information, bank details, a computer IP address, a social security number or a physical address. The GDPR’s reach is very broad and applies to almost any information gathered about individuals.
Unlike past privacy regulations, GDPR has more stringent enforcement mechanisms and carries larger fines for non-compliance. Even accidental data breaches that are not dealt with immediately will place companies at greater legal risk than in years past. Under GDPR, financial penalties for data protection violations step up massively with violations carrying a price tag of up to four percent of a company’s annual global revenue. Compliance will cost money and time, but avoidance will cost far more when penalties hit.
It is surprising how different organizations are reacting. In May, Tribune Publishing and A&E Television announced their intent to block all EU IP addresses from accessing their data altogether, a move that indicates they believe it is easier to block 500 million people’s access than comply.
The problem here is twofold. On the one hand, companies that merely block access are still not in compliance because they actually possess PI data about EU citizens, which is the crux of the GDPR’s privacy protections. Secondly, these companies may not be entirely wrong that it’s easier to simply put up a firewall—provided they are actively working on aligning their data policies to comply with the law at the same time. Think of it as the plywood perimeter around a construction site keeping people out until the work is done.
One of the greatest difficulties in GDPR compliance comes from the requirement that companies be held responsible for the data practices of their vendors and subprocessors. For nearly any company that deals in digital information, this could be a dizzying array of contracts to pore over.
With the implementation of GDPR, the concept of an individual’s privacy has shifted from simply a legal concern to also a technology and security issue that demands attention from senior management and boards. As evidenced by the multitude of high-profile corporate data breaches, securing users’ data is a complex, expensive and cumbersome process. Boardrooms that make data privacy a priority across their organizations will learn that it is not just good business practice, but it is now a significant competitive advantage as well.
A board and company’s proper internal structure is an important first step to facilitate GDPR compliance and should include the following:
• Designate an experienced leader with proven cyber security and privacy expertise who reports to the C-suite, if not a C-level function itself;
• For many organizations, establish a dedicated Data Privacy Office;
• Organize a Third-Party Risk Management team that will be responsible for ensuring external business partners adhere to GDPR, and the many other privacy and/or security laws in place across the globe;
• Ensure Privacy by Design and Privacy by Default are foundational to all technology programs;
• Prepare a risk-based Data Protection Impact Analysis (DPIA) that addresses questions such as “what are the technological controls that are present (or absent) within our processing activities” This examination may reveal unexpected gaps in your GDPR compliance;
• Establish a Data Privacy Awareness program that includes mandatory annual training for all employees and focused training for Marketing, Human Resources, and other roles that routinely process PI.
If the pace of GDPR adoption in the short window leading up to the launch date is any indication, companies are late to the game in having the right internal structures in place to meet the new regulations. Compliance will cost money and time, but avoidance — which will cost far more if penalties hit — is no longer an option.
Read more: GDPR: What Boards Need To Know Now