On 25th May 2018, the EU General Data Protection Regulation (GDPR) will finally come into force, after many years of planning.
But in reality, this date will represent just the start of a long compliance journey for many. Awareness of the regulation has certainly risen, but not enough so that organisations know what they are doing. Far too many still incorrectly assume that investing in a few eye-catching security technologies will do the trick. They believe regulatory fines are something that will happen to other firms, not theirs.
In short, it could take as long as five years before we see high levels of true GDPR compliance. Until then, it could be a rocky road for many if they do not focus right now on the basics of documentation and process.
There is still a prevailing attitude in many company boardrooms that breaches and subsequent GDPR fines will not affect their organisation.
One report claims that 38 per cent of IT decision makers believe their organisation does not view compliance with the GDPR by the deadline as a priority. I find this attitude baffling given the high stakes involved — after all, a fine of 4 per cent of global annual turnover is enough to lose any CEO, CISO or CIO their jobs. Just look at what happened to many recent, high profile businesses post-breach. Some might be half-expecting or half-hoping that the regulators will go easy for a year or two until firms have caught up. This would be a major tactical miscalculation.
I predict that the regulators will hit the ground running this year to levy some major fines on organisations around the world. As the fines start to mount, so will the panic in boardrooms. The result? Investment finally released for comprehensive compliance projects. But it will be much harder to find the right expert partners in this sudden scramble to get help, and that help won’t come cheap. Compliance will be rushed, inevitably leaving gaps, and all the while organisations will remain exposed to the risk of breaches and regulatory scrutiny.
Technology can only help GDPR compliance as part of a comprehensive process-driven approach. To that end, when firms finally begin in earnest they will need to understand:
- Where their customer/employee personally identifiable information (PII) is stored
- Where data flows within and outside the organisation
- Which data needs to be permanently deleted according to the principle of data minimization
- Where it needs to be retained and encrypted or pseudonymised, perhaps to meet other regulatory requirements such as in healthcare.
Mid-sized firms are arguably the worst prepared for the 25th May deadline thanks to confusion over ownership of the GDPR and resource constraints. But larger firms also have challenges, for example, in managing the sheer weight of documentation necessary to comply. Data Protection Officers (DPOs), mandated by the regulation for many firms, will help with the process as long as they aren’t marginalised inside the organisation. But privacy officers have traditionally been seen by many businesses as a brake on innovation rather than an enabler of growth.
However long it takes organisations to get their GDPR plans in order, one essential truth will remain: compliance is not a destination, it is a continuous process of improvement.
By Kai Grunwitz, Senior Vice President EMEA at NTT Security
GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/