On 25th May 2018, the EU General Data Protection Regulation (GDPR) will finally come into force, after years of planning. But in reality, this date will represent just the start of a long compliance journey for many. Awareness of the regulation has certainly risen, but not enough so that organizations know what they’re doing. Far too many still incorrectly assume that investing in a few eye-catching security technologies will do the trick. They believe regulatory fines are something that will happen to other firms, not theirs.
In short, it could take as long as five years before we see high levels of true GDPR compliance. Until then, it could be a rocky road for many if they don’t focus right now on the basics of documentation and process.
There’s still a prevailing attitude in many boardrooms that breaches and subsequent GDPR fines will not affect their organization. One report claims that 38% of IT decision makers believe their organization does not view compliance with the GDPR by the deadline as a priority. I find this attitude baffling given the high stakes involved — after all, a fine of 4% of global annual turnover is enough to lose any CEO, CISO or CIO their jobs. Just look at what happened to many recent, high profile organizations post-breach. Some might be half-expecting/half-hoping that the regulators will go easy for a year or two until firms have caught up. This would be a major tactical miscalculation.
I predict that the regulators will hit the ground running this year to levy some major fines on organizations around the world. And as the fines start to mount, so will the panic in boardrooms. The result? Investment finally released for comprehensive compliance projects. But it will be much harder to find the right expert partners in this sudden scramble to get help, and that help won’t come cheap. Compliance will be rushed, inevitably leaving gaps, and all the while organizations will remain exposed to the risk of breaches and regulatory scrutiny.
The way forward
Technology can only help GDPR compliance as part of a comprehensive process-driven approach. To that end, when firms finally begin in earnest they will need to understand:
- Where their customer/employee personally identifiable information (PII) is stored
- Where data flows within and outside the organization
- Which data needs to be permanently deleted according to the principle of data minimization
- Where it needs to be retained and encrypted or pseudonymized, perhaps to meet other regulatory requirements such as in healthcare.
Mid-sized firms are arguably the worst prepared for the 25th May deadline thanks to confusion over ownership of the GDPR and resource constraints. But larger firms also have challenges, for example, in managing the sheer weight of documentation necessary to comply. Data Protection Officers (DPOs), mandated by the regulation for many firms, will help with the process as long as they aren’t marginalized inside the organization. But privacy officers have traditionally been seen by many businesses as a brake on innovation rather than an enabler of growth.
However long it takes organizations to get their GDPR plans in order, one essential truth will remain: compliance is not a destination, it’s a continuous process of improvement.