GDPR, short for the European Union's (EU) General Data Protection Regulation, will take effect on May 25. It's the most significant new compliance regulation in years, and from the looks of it, many enterprises will have a tough time complying with the new data privacy law.
It should be noted that GDPR doesn't solely apply to European firms. Any company doing business in the region that is entrusted with data on individuals in the EU must also adhere to the regulation.
A recent study from HyTrust, conducted at the VMworld 2017 conference in Las Vegas, found that a whopping 79 percent of companies have no plans in place for GDPR. Another study from Varonis revealed that a whopping 90 percent of IT decision makers saw challenges complying with GDPR a year before the enforcement date.
Many organizations anticipate spending millions of dollars to upgrade their IT systems and processes, but that pales in comparison to the financial impact of running afoul of EU regulators. Penalties for failing to keep a lid on your users' data can rise to four percent of your organization's global annual revenue. For corporations that earn billions each year, it can quickly add up to tens of millions of dollars or more.
eSecurity Planet asked some industry experts for their insights on what CIOs, CISOs and business leaders can do to get their organizations ready for GDPR. Here are their recommendations.
Pay a little now or a lot later
Peter Merkulov, chief technology officer of GlobalSCAPE, a secure data integration and movement software company, believes in investing in privacy-protecting systems and solutions to avoid costly fines and other damaging consequences.
"No matter how deep your organization's pockets might seem, the cost of non-compliance far exceeds the relatively small costs associated with meeting compliance mandates," Merkulov said. "According to a recent Globalscape-Ponemon report, non-compliance costs reached $14.82 million annually last year, whereas the cost to comply averaged around $5.47 million annually. That's a whopping 2.71x the cost of maintaining or meeting compliance requirements."
And the EU's penalties are only the start of the pain corporations will feel if they don't take GDPR seriously.
"Non-compliance costs come from the costs associated with business disruption, productivity losses, fines, penalties and settlement costs, among others. Clearly, complying with data protection regulations is expensive, but non-compliance will cost organizations much more," Merkulov added. "And in a time when mega-breaches like Equifax are becoming regular headlines, protecting data is a critical necessity, not a nice-to-have option."
Respect users' right to be forgotten
GDPR contains a "Right to Be Forgotten" provision (Article 17) that requires organizations to securely delete a user's data upon request.
In today's data-driven world, getting rid of valuable user information runs counter to the store-everything ethos that guides the data management strategies of many organizations. The Varonis study identified the user data erasure requirement a key GDPR challenge among IT decision makers.
Peter Smails, vice president of business development at data management specialist Datos IO, recommends taking a look at personally identifiable data that may linger in databases and backups.
"Increasingly, companies have database clusters spanning multiple data centers and multiple continents, including hundreds of terabytes of data, but with new GDPR regulations such as individuals' right to be forgotten, enterprises need the ability to back up and restore data at a sub-table or single data center granularity," Smails advised. "To be compliant, companies will require data management tools with capabilities such as any point-in-time backup, as well as query-able and incremental restore to enable fast, sub-table level recovery, all of which reduce recovery times and minimize storage requirements for large-scale restore operations."
Darren Abernethy, Senior Global Privacy Manager at TrustArc, offers a handy checklist of practices that can help organizations deal with user requests to remove their information from a company's IT systems.
"The GDPR's right to erasure sets forth that data subjects have the right to obtain from a data controller the deletion of the personal data held about them — 'without undue delay' — if the continued processing of that individual's personal data isn't justified," Abernethy said.
"Because the law further provides that, for instance, this would be the case where the personal data is no longer necessary for the original purposes of collection, or where the individual withdraws his/her consent to the processing, this firmly places responsibilities on companies around the world that process EU-originating personal data to have embedded certain practices into their workflows."
Here are those practices, according to Abernethy:
- Performing company-wide data flow mapping/inventorying for each business process to know what data is collected, from where it originates, with whom it is shared, how sensitive it is, and how it should be classified for storage/deletion;
- Having a centralized system for tracking and date-stamping user consents; and
- Maintaining standardized record-keeping that sets forth the legal grounds for any data processing, including possible rationales as overriding grounds for continuing the processing.
Focus on accountability, employees
It's time to get serious about data governance programs and ensuring their effectiveness with frequent audits, says Merkulov.
"Governance can help organizations maintain the appropriate oversight required to understand, track and audit where sensitive data ends up. This is increasingly important as there are specific response times or data protection measures required in regulations like GDPR or PCI-DSS [Payment Card Industry Data Security Standard]," he said. "Whereas regular audits can provide details on where an organization is exceeding or not meeting compliance measures before an incident or regulatory body enacts fines or other penalties."
And don't forget to arm your IT workers and rank-and-file employees with the tools they need to keep your customers' data safe.
"In addition to complying with regulatory guidelines, organizations should provide employees with the right tools to ensure they're consistently working in ways that improve security posture and keep data safe," Merkulov added. "To counter the problem of end user error or poor data sharing practices, companies should consider offering their workers intuitive, convenient tools that automatically provide higher levels of protection, such as encryption."
For more on technologies that can help with GDPR compliance, see Enterprise Technologies That Tame GDPR Compliance.