6 months to GDPR: What's next?
Six months from now, data handling will be subject to new regulations and yet companies are woefully unprepared.
Of those organizations impacted by the European Union's impending General Data Protection Regulation (GDPR), which takes effect May 28, 2018, 89% are unprepared for the upcoming changes to data handling, according to a PricewaterhouseCoopers survey.
Meeting compliance for the international regulation is complicated, costly and oftentimes lengthy. For tech executives, data imports, exports, access, portability and security will all need reevaluation.
And there is no clear path to compliance. The EU set the requirements and end goals for data processors and controllers, but it is up to these bodies to determine how — and when — to get there.
In the face of numerous pressures to comply, many companies have turned to third parties to usher in changes, and while some have embraced their new responsibilities, most still lag dangerously behind as the deadline nears.
What is GDPR?
GDPR is intended to "harmonize data privacy laws across Europe," according to the EU. This entails significant changes to data handling worldwide, including:
- Extraterritorial scope: application to any EU body or any data processor or controller processing data of EU citizens
Penalties: up to 4% of global turnover or around $23.8 million (whichever is greater)
Consent: companies need clear and understandable terms of how data is being used
Notification: within 72 hours of discovering a breach
Data rights: including access to one's data and the right to be forgotten or erased
Protection by design and default: data controllers are responsible for data protection mechanisms before and during data processing
Data protection officers: to oversee public authorities, data processors and bodies engaging in large-scale monitoring
So what does this mean for companies?
If an organization collects any personal data — from a name to an IP address to a social media post to banking information — that body is responsible for the data and accountable to the individual that data belongs to.
For most, noncompliance without penalty is not an option. The broad scope of the regulation, which extends far beyond the EU member states which passed it, will touch most organizations with a global or European footprint.
Wait, companies don't already protect data?
GDPR will not fill a vacuum for data privacy rules. Many countries and states have already implemented a variety of regulations, especially over the last few years, but GDPR will be the most comprehensive and globally impactful.
Many experts equate it to the Sarbanes-Oxley Act of 2002, which fundamentally redefined how public companies are held legally accountable in the United States.
GDPR will redefine the data processing landscape because it firmly establishes ownership of data with the individuals that data is tied to and distinguishes data processors and custodians as "stewards" or "custodians" of that data, said Dimitri Sirota, CEO of BigID, a startup working with companies on GDPR requirements.
Historically, a company just "smashed data together" without necessarily understanding whose data they had, but "what GDPR cares about is that company is aware that piece of information — payment card, health id, dynamic IP address, all that stuff, gender definition — belongs to that person," said Sirota.
"At the end of the day, the person that's going to be sitting in judgment of you, the company, around how you satisfied that or not, it's not the regulator — it's your customers, it's your employees … And what company doesn't benefit by better securing their customers?"
CEO of BigID
If an individual wants to know what information a company has on them, come May they can ask the company to send the understandable information on what personal data is in store. And if an individual wants a company to get rid of the information collected about them, the company must do so.
Such a request may sound like an easy ask. But many data discovery tools are designed to look for a 16 digit string of numbers denoting card data and do not have the multidimensional capabilities to see how this data is used, its context and who it belongs to, said Sirota.
Upending current systems will cause significant initial disruption, but in the long term the accountability and responsibility will be in companies best interests, said Carolyn Holcomb, cybersecurity and privacy partner for PricewaterhouseCoopers.
"I think when we get out five years, most companies will look back and say, 'Hey, I really feel like I'm doing the right thing — I am protecting our consumers' data,'" said Holcomb. "I'm also making the customer experience better and I'm doing it all the right way."
What will make companies comply?
Data is a strategic asset any modern, successful company cannot function without. But new regulations mean companies will "stop looking at it purely as fuel or wood to burn on the fire to expend and more as vital assets that they need to account and safeguard," said Sirota.
There are three primary pressures pushing companies to take GDPR requirements seriously, according to Holcomb:
Regulatory enforcement through heavy fines
Abilities for class-action like lawsuits against organizations that failed to meet GDPR requirements; this is a new form of legal accountability for Europe and data privacy
Intercompany contractual pressures
Contractual pressures stem from GDPR's decision that a company cannot simply ensure its own practices are up to par. If a data controller stores its data on a third party cloud and this cloud provider does not meet GDPR compliance, the company is still liable.
"When you think about the ecosystem in which these companies all live, they share data, they buy data, they might sell data," said Holcomb. "Nobody is just their four walls anymore, and as a result they're all asking each other to find contracts that say, 'in May of 2018 I will comply with GDPR.' Because if you don't comply, I can't comply."
So how do you comply?
So much of data security is focused around building impenetrable walls, but there is no such thing as an impenetrable wall and companies need to ensure a basic underlying accounting of data repositories is in place in case of data misuse or breaches, said Sirota.
The path to compliance is filled with nuance. Companies have to take into account the size of their EU presence, the type of data they collect and the scope of their business operations; depending on these factors, reaching compliance can take a few months or several years, said Holcomb.
Yet there is no single technology companies can put in place to stave off all violation of requirements. Many are looking to GRC tools and software with machine learning to up data management, but organizations should be wary of solutions throwing out buzzword technologies as a solution.
"I think when we get out five years, most companies will look back and say, "Hey, I really feel like I'm doing the right thing — I am protecting our consumers' data … I'm also making the customer experience better and I'm doing it all the right way."
Cybersecurity and Privacy Partner for PricewaterhouseCoopers
"Right now, that's a little bit like saying, 'Hey you were just born, time to run a marathon,'" Sirota said. "I think that matters, but that's actually not material to what GDPR requires. And I think if the goal is to basically meet the compliance, it is a big enough ask for companies to just account for the data."
With restructuring and redefining data classification from the ground up being such a case-by-case challenge, many companies have turned to third parties, such as privacy startups to established tech, consulting and legal firms. Efforts were slow in 2016, but the pace of companies seeking help has steadily picked up over 2017.
Of the 11% of firms that claim to be finished with GDPR measures, 88% spent more than $1 million and 40% spent more than $10 million, according to the PwC survey.
For the majority of companies yet to finish preparations, 60% had $1 million planned for the process and only 10% had more than $10 million planned. This shows that most companies are not yet ready for GDPR and that it is costing them more than they forecasted.
While the number of companies yet to begin preparations has sunk to 7%, 36% of companies have only begun assessments of GDPR readiness, according to the survey. Given how long preparations can take, this is dangerously close to deadline.
"Nobody is just their four walls anymore, and as a result they're all asking each other to find contracts that say, "in May of 2018 I will comply with GDPR." Because if you don't comply, I can't comply."
Cybersecurity and Privacy Partner for PricewaterhouseCoopers
The initial phases of data inventory and maintaining records of data processing for compliance will be big a big first step for companies, but a change in daily operations farther down the line will be even harder, said Holcomb. Employees will need to understand how to do their jobs differently and better everyday under GDPR changes.
Yet companies would do well to remember that bringing in consultants and experts to understand the long and verbose language of GDPR is not what's at the heart of the matter, according to Sirota.
"At the end of the day, the person that's going to be sitting in judgment of you, the company, around how you satisfied that or not, it's not the regulator — it's your customers, it's your employees," said Sirota. "And what company doesn't benefit by better securing their customers?"
Follow Alex Hickey on Twitter