Data protection and cybersecurity are on a path to convergence. And that convergence is about to accelerate thanks to the European Union General Data Protection Regulation (GDPR).
When the GDPR goes into effect in May, 2018, it will impact the global data protection landscape on an unprecedented scale.
The GDPR's Far Reach
Under the GDPR, any company with a specific European presence will be subject to its requirements, as well as companies offering goods or services via a website to EU citizens. Cloud services developed by US-based organizations will also fall under the umbrella — merely because they are available to EU-based individuals, even if the company is not established in the EU.
The regulation also includes:
- Potentially significantly greater fines for data breaches of up to four percent of annual global revenue
- Privacy Impact Assessments (PIAs)
- Privacy and Security by Design
- Inventories and data mapping of personal information across business systems
- Mandatory appointments of Data Protection Officers (DPO)
- Evidence that organizations are doing all of these things
Compliance is no small undertaking. It requires a major shift for many companies — even those with a privacy program already in place.
New obligations for the Chief Information Officer (CIO), Chief Information Security Officer (CISO) and the business mean that waiting for the law to come into effect results in already being too late.
Benchmark Your GDPR Readiness
We decided to take a deeper look into what organizations around the world are doing — or not, as the case may be — to prepare.
The objective of the survey was to help organizations benchmark and prepare their privacy programs for GDPR implementation, as well as change management programs. The questions focused on key change areas and topics of the GDPR that relate most to everyday business and compliance concerns.
Getting There, But Still Not Ready
The survey respondents totaled 223, predominantly made up of multinational organizations. According to respondents, 93 percent of organizations operate in Europe, more than half operate in the US and less than half operate in South America and Asia.
The survey revealed that most companies have started the process of assessing the impact of GDPR on their operations, devising an organization-wide implementation plan and evaluating the need for additional resources.
We observed the following key trends:
1. GDPR Impact
Respondents believe that the GDPR requirements for a comprehensive privacy management program, use and contracting with processors, as well as data security and breach notification will have the largest impact on their organizations.
As expected, senior management is most concerned about the GDPR’s enhanced sanction regime and the data breach notification requirements, as well as how the regulation will impact their data strategy and ability to use data.
2. GDPR Readiness
Organizations appear to be in varying stages of preparation for the GDPR. While most have appointed a DPO, many organizations are either increasing resources in preparation or in the process of considering additional resources to meet the increased obligations under the GDPR.
3. Compliance Technology Tools and Software
Currently, organizations do not appear to widely use or have access to technology tools and software to aid with data privacy and compliance tasks.
Only a minority of organizations use technology to automate and industrialize their Data Protection Impact Assessments, data classification and tagging policies, data processing inventories and delivery of the new data portability right.
4. Collected Approach to GDPR Implementation
Because of interdependences between data privacy, compliance, IT systems, IT infrastructure and the organization's data strategy, GDPR implementation should be a company-wide change management program, with a concerted effort from senior leadership, including the DPO, CISO, CIO, Chief Data Officer (CDO) and General Counsel.
Progress, But Much Work Remains
Operationally, there's been encouraging progress, but clearly much work remains.
The report found only 33 percent of respondents tag and classify the data they hold to indicate whether or not it contains personally identifiable information (PII) or Sensitive PII.
Of those that do tag data, only 10 percent use any kind of automation — the others rely on end users to tag.
A manual approach is extremely problematic from both a security and data protection/privacy perspective, as all other decisions about data stem from whether or not a company is managing PII. So what these responses tell us is that these organizations are either building policies and procedures and hoping that people are following them, or they're relying on business users to tag their own data.
Neither of these answers is technically or operationally sound.
End users are notoriously bad at tagging their own data, and without automation, it’s almost impossible to implement a good data protection program.
Further, only 26 percent of respondents keep a record of processing and data transfers. It’s funny then that almost 58 percent say they understand data lifecycle management within their organizations.
We can presume that while organizations may understand what their policies state, if they don’t know what data they hold, they don’t know whether or not anyone is actually doing what they are supposed to be doing.
Get to Work
Because data protection and cybersecurity are two critically important and converging paths in the digital world market, it’s important for organizations to streamline their internal programs and pursue interdepartmental and cross-functional efforts toward GDPR compliance.
Because privacy and security risk management intersect with other data lifecycle management programs within your company, combining these related areas will allow you to better optimize resources and risk management for information assets to support responsible, ethical and lawful collection, use, sharing, maintenance and disposition of information.