GDPR: How prepared are you for May 2018? And what’s likely to happen if your business is not compliant
By Robert Arandjelovic, EMEA Director of Security Strategy, Symantec
Symantec recently hosted a live panel to help organisations get ready for the imminent GDPR. With contributions lawyer firm White & Case, Mandiant, Commvault and Symantec one issue rang out particularly strongly to me: is GDPR a ‘cliff edge’ issue?
We polled over 1,000 participants, only 19% of whom said they feel ready for GDPR – a figure that might decline when more granular conversations about the ins and outs of information risk and mapping begin.
So how do the majority of respondents feel who say they are either not ready for, or are not sure if they are ready for GDPR? Concerned.
The main issue surrounds the fines that could be imposed for non-compliance: the worst infractions could mean a whopping €20 million or 4% of your organisation’s global annual turnover.[1] It is this spectre that got me thinking… With the GDPR coming into force imminently, many organisations will be wondering whether, should they be hit with a large fine, it could send their business off a cliff.
Our panellists felt that even if hefty fines are levied as a result of compliance violations, the ultimate objective is to see organisations putting consumers and citizens first, chiefly through greater transparency into the use and, should it happen, the loss or misuse of their personal or sensitive data. While enforcement motivations and attitudes will vary between authorities across the EU, the ICO recently made a statement elaborating the position of British authorities with regards to fines.
Therefore, if your organisation can demonstrate it has taken measures to increase transparency and improve how it collects, processes, and protects data, these can go towards mitigating the consequences of a breach or violation, and whether your business will be issued with a sizeable fine. That’s not to say that regulators will do nothing if you are found to be in violation of the GDPR on May 25th 2018. So make sure you meticulously document the progress you have made to support compliance and what work you have still to do – along with a timetable and investment plan.
You cannot ignore GDPR. Organisations are obliged to report data breaches to the Data Protection Authority (DPA), without undue delay, and at the least within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of the affected individuals.
Ensure that you have the right technology in place to encrypt all personal data, to quickly identify a breach occurrence, and thoroughly comprehend the nature and impact of the breach. A mitigating factor both in terms of notification obligations and potential sanctions, is the encryption of personal data, which, if exfiltrated, makes them effectively unusable by attackers.
Ensure that you have the right technology in place to quickly identify a breach occurrence, and assess the nature and impact of the breach. Refresh and refine your processes over time as your use of data evolves, and practice it as appropriate.
The sooner you take action the better. May 25th, 2018 is not a deadline after which your compliance efforts don’t matter. Regardless of your organisation’s state of readiness, what’s important is to build your own compliance timeline with a well-documented plan. This can go a great way towards mitigating or avoiding penalties if an investigation takes place before you are fully compliant. And just like cybersecurity, don’t assume that there is an end-state: GDPR compliance is an ongoing process of continual improvement, evolving as your business and data processing practices change.
Start with an impact assessment. To truly embrace the GDPR’s objectives of putting consumers and data privacy first, create a cross-organisational GDPR team that extends beyond compliance to include stakeholders from legal, risk, lines of business, digital & marketing, IT, cyber security and senior operations personnel. Together, map all the personal and sensitive data that your organisation processes on-premises, in the cloud and on user devices, and get a clear understanding of who can access it, how well it’s protected, and whether there are any data residency concerns. Understand any potential gaps vis-à-vis GDPR and how resolutions can be woven into any existing compliance processes you have in place.
Once you’ve gained a clear understanding of the gaps between your organisation’s processes and the requirements of the GDPR, you can prioritise which ones present the greatest business risk. Then plan any process improvements and supplement your existing security investments – including those that tell you where compliance data resides, make it safer, govern access, and help detect and prevent breaches.
You can access all the practical support our panellists delivered to get better prepared for GDPR. The full BrightTALK panel, Benchmark Special: How prepared are you for May 2018? is available now.
Access the panel: Benchmark Special: How prepared are you for May 2018? Listen now