The General Data Protection Regulation, or GDPR, is due to take effect on May 25. Here are my thoughts on what it is, how it threatens your enterprise, and what you can do to prepare for, deal effectively with, and even take advantage of it.
GDPR: What You Need to Know Now
- GDPR was designed by European Union (EU) regulators to protect the personally identifiable information, or PII, of EU citizens, wherever they are around the world.
- It therefore affects every organization that deals with EU citizens and their PII, no matter where that organization may be.
- Your enterprise must not only become GDPR-compliant, but must be able to demonstrate compliance credibly, should a regulator request or demand that you do so.
- It also includes specific requirements for how soon your organization must disclose the existence of a serious cybersecurity breach, once one is discovered.
- The penalties for non-compliance? As much as four percent of your organization’s entire annual revenues, or 20 million Euros, whichever is higher.
GDPR: You’re (Probably) Not Ready
Respected market watchers and regulators agree. Many if not most enterprises likely to be affected by it are not yet fully prepared to deal with GDPR.
A Feb. 2, 2018 ZDNet report summarized key findings from a new Forrester Research report, The State of GDPR Readiness.
- “[J]ust a quarter of organisations across Europe are thought to be GDPR compliant already, while another 22 percent expect to be GDPR compliant in the next 12 months.”
- “Forrester found that 11 percent of organisations are still considering what to do about it, while eight percent of organisations aren’t familiar with the new regulations at all.”
- “Forrester’s research found that it’s organisations in media and retail — sectors which handle some of the largest amounts of customers’ personal data — are currently the least prepared for GDPR, with just 27 reported to be fully GDPR-compliant.”
These findings echo initial results of the United Kingdom (UK) government’s 2018 Cyber Security Breaches Survey, as released on Jan. 24, 2018.
- “38 per cent of businesses, and 44 per cent of charities, say they have heard of the General Data Protection Regulation, which is the foundation of the UK’s new Data Protection Act.”
- “Among those aware of GDPR, just over a quarter of businesses and of charities made changes to their operations in response to its introduction.”
- “Among those making changes, just under half of businesses, and just over one-third of charities, said these changes included those to cyber security practices.” The most popular changes included creating or changing policies or procedures, additional staff training or communication, and new and updated systems and cybersecurity software.
GDPR: What You Need to Do Now
You need to know all you can know about every actual and possible point at which your business interacts with the PII of any EU citizen. This means a careful, complete audit of your complete IT environment, including connections to external constituents, including partners and customers. Every touchpoint with EU PII you miss is a potentially disruptive, embarrassing, and expensive GDPR violation.
If your enterprise has effective solutions and processes in place for cybersecurity, endpoint, and/or IT asset management (ITAM), any or all of these can provide a jump-start to your auditing efforts. If your organization has none of these, now is the time to change that situation.
Multiple vendors and service providers offer solutions intended to help businesses become GDPR-compliant. Find out what your incumbent IT solution and service providers can do to help you, and what other companies like yours have done and are doing. Engage with all of your partners and providers, and find out what PII protections that have in place and planned. Use this information to identify and prioritize your vulnerabilities to non-compliance with GDPR, and to build a plan to address these.
Doing so will do more than get you closer to GDPR compliance. Better cybersecurity and protection and management of information about your customers and prospects can even create opportunities for new revenue streams by generating new insights into those customers and prospects.