With the compliance deadline for the European Union's General Data Protection Regulation (GDPR) just days away, a number of surveys have found that most companies just aren't ready for the data security and privacy regulation – and don't expect to be by the end of the year.
So what risks do those non-compliant organizations actually face? Fines for several violations could be as high as 4 percent of annual revenue, but are also expected to be "effective, proportionate and dissuasive," according to Article 83 of the regulation. So how severe are regulators likely to be?
Some initial GDPR lenience likely
In the short term, at least, GDPR enforcement doesn't look too bad. Annabelle Richard, partner at law firm Pinsent Masons, said the French data protection authority CNIL "has confirmed that companies that are not fully compliant with the GDPR by 25 May can expect to be treated leniently initially provided that they have acted in good faith by attempting to achieve compliance."
Still, Richard noted, that only applies to compliance with new requirements, such as the right to data portability, or the requirement to conduct data protection impact assessments (DPIA).https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
"Businesses should note that the CNIL's position on enforcement will be different, and much stricter, in relation to non-compliance with the 'fundamental principles of data protection,'" such as rules on fair processing, deleting data when it's no longer needed, and keeping personal data secure, she said.
Chris Olson, CEO of The Media Trust, said told eSecurity Planet by email that GDPR commissioners have made it clear the heaviest fines will be imposed on companies that show little or no effort in complying with the law.
Still, Olson said, the fact that the UK Information Commissioner's Office recently fined Greenwich University £120,000 for a data breach should be seen as a clear signal that regulators won't shy away from imposing penalties on companies for failing to protect personal data.
"The signal clearly targets the many organizations that remain unprepared for GDPR, as well as those that might even be weighing whether paying penalties will cost less than upgrading data processes," he said.
Most importantly, Olson advised, be wary of viewing GDPR the way you likely viewed Y2K – i.e., just fix it once and you're done. "GDPR is not a test you take once on any given day – you take it every single day for as long as the law applies to you," he said. "Enterprises will need to continuously update documentation of the data they collect, by whom, and what they do with it."
What's more, Olson said, GDPR will inevitably lead to similar regulations being introduced in other jurisdictions worldwide. "In the years to come, organizations will have to set up the processes for all other markets, for which they will need to document and manage their data flows, get the consent they need, and immediately terminate any unauthorized activities," he said.
Where companies will fail GDPR compliance
Imperva CTO Terry Ray said it's important to keep in mind that GDPR is ultimately about encouraging improvements in the security and privacy for personal data. "Organizations are not likely to get full compliance straight out of the start gate," he said. "Instead, auditors will find violations and leverage them to drive change within organizations working towards the goal of security and privacy."
That said, Ray said there are five ways he expects to see organizations fail in their first audits:
- Organizations won't be able to demonstrate that they know where all stored personal data is located. "They will show where they believe it is, without being able to prove that it is not elsewhere," Ray said.
- Monitoring all access to personal data will be a key challenge, as enabling database or file level logging for personal data will likely have a huge impact on the speed of databases and file servers. "This is a great example of why regulations like GDPR are necessary, since without them, organizations deprioritize watching your personal data," he said.
- The vast majority of organizations will struggle to meet encryption requirements. "The massive impact and cost of encrypting all private data at rest will prevent most organizations from meeting the requirement," he said.
- Tracking users who access personal data could also be a challenge, depending on how the requirement is interpreted – will identifying a user ID and its activities be sufficient, or does the actual person behind the user ID have to be identified?
- Every organization will need to have clear plans in plans to mitigate breaches of personal data, but few companies implement enough controls close to the data – they rely on traditional endpoint security software and firewalls, and lack sufficient protection against breaches by authorized users.
Regional enforcement differences
Nigel Tozer, solutions director at Commvault, said that while there should be no difference in the application of GDPR among EU member states, individual countries are allowed some derogation – and there's nothing to stop a country from applying their own regulations on top of GDPR. "Germany, for example, already has laws that go beyond GDPR in some areas," he noted.
For any business that provides services to EU residents, it really won't make any difference if they're based in the EU or elsewhere in the world, Tozer said. "A large business may choose to pay the fine, as the revenue is worth it, or they could close their business to EU residents and walk away," Tozer said. "If they have EU offices, then actions will be taken against them as a native EU business, but fines will be based on global revenue (of the parent company)."
Olson said the challenge of enforcing laws across borders won't stop regulators from making every effort to do so – and potentially banning companies that don't comply from doing business in the EU. "In fact, there is no difference in enforcement for companies that are based outside the EU for as long as they collect personally identifiable information on EU citizens," he said. "The same requirements and penalties that apply to companies in the EU will apply to them."
For more on GDPR compliance, see GDPR Compliance Solutions.