SAN FRANCISCO — Last December, the European Union came to an agreement on the General Data Protection Regulation. Organizations now have about two years to comply.

The regulation resulted from a proposal in January 2012, with the goal of strengthening data protection for European citizens. 

But the rules will apply to businesses outside the EU, so the best way for organizations to ensure compliance is to plan their security and privacy strategy now.

CMSWire contributor Dana Simberkoff, chief compliance and risk officer at AvePoint, led the discussion at the RSA Conference here this week on the new data protection regulation and how organizations can prepare for the changes.

AvePoint develops, sells and supports governance, compliance and management software for enterprise collaboration systems.

Simberkoff moderated a panel on Tuesday panel that included: Bojana Bellamy, president of Centre for Information Policy Leadership; JoAnn Stonier, EVP and chief information governance and privacy officer of MasterCard; and Michelle Dennedy, chief privacy officer of Cisco. It was one of the few all-women sessions at a conference that attracted a majority of men.

Measuring Readiness

Dana Simberkoff

According to Simberkoff, the law may increase the fines for data breaches — from tens of millions of dollars to billions of dollars, Simberkoff said.

It may also require companies to perform Privacy Impact Assessments and appoint data protection officers. 

Big companies, like Google, may have the ability to sue and fight. But not every company can afford to take those hits. “[Make sure] everyone in your supply chain has good business practices,” Simberkoff suggested.

Also consider basic certifications for staff, like those offered by International Association of Privacy Professionals. They can help bring everyone up to speed on privacy laws and regulations.

Simberkoff specifically cited companies with younger founders, who may have grown up with a different perception of privacy. “I’m not suggesting people live off the grid, but the population is very undereducated on [privacy and security].”

The Tool

Simberkoff joined AvePoint in 2012 to head up executive level consulting and research on risk management and compliance. “We’re like the universal translator from Star Trek,” she told CMSWire.

In May 2014, AvePoint developed a free Privacy Impact Assessment tool in response to the regulation to help enterprises protect personally identifiable information. The PIA system is distributed globally by the International Association of Privacy Professionals, of which Simberkoff is a board member.

The PIA system allows organizations to analyze how IT handles personal information. Businesses can use a form-based survey system and built-in workflows to facilitate communication between departments during assessments and generate reports for their privacy officers.

Simberkoff said organizations use the system for Privacy Impact Assessments, but they also find it a solution for third-party vendor assessments, business impact surveys, 27002 audits and other creative analysis. All this means the technology automates what is typically a manual, spreadsheet-heavy process.

“We are really excited about the response to the tool, and we are eager to extend its impact,” she said.

To date, more than 2,700 organizations around the world have downloaded the PIA tool to manage their protected data. But there remains a disconnect between the legal, IT and business sides, Simberkoff said of the way companies tend to think of security.

AvePoint will continue working with its partners to create benchmarks in order to rate companies’ readiness and compare them with their peers, Simberkoff said.