On 25th May 2018, the EU General Data Protection Regulation (GDPR) will come into force, after years of planning. But in reality, this date represents just the start of a long compliance journey for many. Awareness of the regulation has certainly risen, but not enough so that organisations know what they’re doing. Far too many still incorrectly assume that investing in a few security technologies will do the trick. They believe regulatory fines are something that will happen to other firms, not theirs.
In short, it could take as long as five years before we see high levels of true GDPR compliance. Until then, it could be a rocky road for many if they don’t focus now on the basics of documentation and process. There’s still a prevailing attitude in many boardrooms that breaches and subsequent GDPR fines will not affect their organisation.
One report claims that 38 per cent of IT decision makers believe their organisation does not view compliance with the GDPR by the deadline as a priority. This is baffling given the high stakes involved — after all, a fine of 4 per cent of global annual turnover is enough to lose any CEO, CISO or CIO their jobs. Some might be half-expecting or half-hoping that the regulators will go easy for a year or two until firms have caught up. This would be a tactical miscalculation.
I predict that the regulators will hit the ground running to levy some major fines on organisations. As the fines start to mount, so will the panic. The result? Investment finally released for comprehensive compliance projects. But it will be much harder to find the right expert partners in this scramble to get help, and that help will not come cheap. Compliance will be rushed, inevitably leaving gaps, and all the while organisations will remain exposed to the risk of breaches and regulatory scrutiny.
The Way Forward
Technology can only help GDPR compliance as part of a comprehensive process-driven approach. To that end, when firms finally begin in earnest they will need to understand:
- Where their customer/employee personally identifiable information (PII) is stored.
- Where data flows within and outside the organisation.
- Which data needs to be permanently deleted according to the principle of data minimisation.
- Where it needs to be retained and encrypted or pseudonymised, perhaps to meet other regulatory requirements, such as in healthcare.
Mid-sized firms are arguably the worst prepared thanks to confusion over ownership of the GDPR and resource constraints. But larger firms also have challenges, for example, in managing the sheer weight of documentation necessary to comply. Data Protection Officers (DPOs) mandated by the regulation for many firms, will help with the process as long as they aren’t marginalised inside the organisation. But privacy officers have traditionally been seen by many businesses as a brake on innovation rather than an enabler of growth.
However long it takes organisations to get their GDPR plans in order, one thing remains; compliance is not a destination, it is a continuous process of improvement.