GDPR is here: What's next?
One of the biggest impacts companies notice may be an influx of data subject access requests by individuals testing out their newfound data rights.
After months of headaches, worry, confusion and frustration, GDPR is now a reality for any company processing or controlling data of EU citizens.
The privacy industry has been bolstered by GDPR, and data protection and privacy experts — from consultants and engineers to data protection officerss and compliance VPs — are in demand. Many large companies have rolled out GDPR offerings, and a spate of small startups have entered the market promising more compliance solutions.
Estimates expect anywhere from half to two-thirds of companies to be noncompliant today. But even for the minority of companies that have sufficiently changed internal processes and operations to reach compliance, GDPR will be an ongoing business process.
Regulators are underfunded and underprepared too, so the next few months and years will be a learning process for both sides. Businesses don't know what's going to happen after today, but many experts expect some degree of understanding on the part of regulators that compliance is a long and arduous journey that might need just a little more time.
Within the EU, many members states haven't even implemented localized laws for GDPR, Tantleff said. Regulators may have a short list of companies they want to look into, but with resource and financial constraints the summer months may see more public statements than investigations launched. Regulators are also likely to hold off wielding the financial liability tied to GDPR in the beginning, first opting for other tools in their toolbox, he said.
But in the meantime, what's a company to do?
If compliance measures are in place, one of the biggest impacts companies notice may be an influx of data subject access requests by individuals testing out their newfound data rights. A few requests should be manageable, but a large wave could test how well a company set up systems for data management, such as data mapping, portability and erasure.
A hoard of data subject requests combined with audit requests, customer questions and data privacy agreements or addendums could translate to a "paper DDoS attack that cripples business," according to Jen Brown, compliance and data protection officer at Sumo Logic, in an emailed statement to CIO Dive. Companies struggling to balance compliance demands on top of regular competition may find themselves in a short-term innovation dip.
Some companies have already started receiving requests. Many are from curious internet citizens who normally wouldn't go through such an effort but want to know what organizations have on them due to all the attention surrounding GDPR, said to Aaron Tantleff, partner at Foley & Lardner LLP, in an interview with CIO Dive. Others are more deviously testing companies, perhaps looking for a crack in the wall.
As requests and audits pour in, a wave of litigation will follow — though the process may take months before a substantial case is brought forth.
Companies that fall under the scope of GDPR but haven't made any efforts will be easy targets moving forward. One of the biggest misconceptions many companies have is that GDPR just requires a change in privacy policies and outward facing documents, according to Tantleff.
The reality of compliance is a lot of policy and procedural updates and a deeper understanding of how and why a company processes data. "While it's not perfect, it's okf" for companies that are not yet compliant but have put effort into having a set process in place and documented data policies, Tantleff said.
Businesses will have to continue focusing on vendor and partner networks to ensure additions fall within a compliance scheme. And employees, who continue to pose the biggest cybersecurity risk for companies, will need special attention and training.
After all, the best compliance strategy is worth nothing if employees coming into contact with personal data abuse, misuse or fail to protect it — intentionally or not.
Follow Alex Hickey on Twitter