For months it’s been looming. Now, effectively, it’s here. And only a scant few organizations are ready for the European Union’s General Data Protection Regulation (GDPR).
As the GDPR compliance deadline goes into effect this month, just 11% of 700 organizations surveyed by ESG earlier this year said they were completely prepared, and only 33% said their incident response plan meet GDPR requirements. The potential fines for non-compliance (and breaches) are steep: 20 million euros or 4% of an organization’s worldwide revenue, whichever is higher.
If you’re struggling with GDPR compliance, fear not. There are specific steps you can take to catch up, reduce risk, and turn compliance into competitive advantage, according to a recent panel of experts who convened at Microsoft’s headquarters.
The GDPR provides an opportunity for organizations to get their data, security, and privacy house in order, says Elena Elkina, Co-founder and Partner of Aleada Consulting. Elkina advises clients to begin compliance exercises by understanding where data lives within their organization. “It’s extremely important to know, before you even start with compliance, what data you collect, how you collect it, what you use it for, and where you store it,” she says.
The next step: Document everything. “Make sure you’ve documented your processes and documented your data around the company,” says Elkina. That way, even if you’re not ready by the deadline, you can show regulators where you are in the process toward compliance.
A Competitive Edge
The upside to GDPR compliance is the potential for competitive advantage. “Companies are using [GDPR] to tell their customers what they are doing about privacy and compliance,” says Elkina. “Instead of focusing on the negative aspect of non-compliance, they are sharing their maturity model, their roadmap, building trust, and making sure their customers are confident in their ability to comply with GDPR.”
Privacy, in other words, is a business differentiator. “It’s an enormous opportunity for innovation,” says Elkina.
David Kemp, EMEA Specialist Business Consultant with Micro Focus, says CIOs and CSOs can expect a return on investment with GDPR compliance. His firm conducts data discovery and finds that for most corporations, at least 30-40% of their data is irrelevant or obsolete. “They’re spending a huge amount of money on storage and upkeep,” he said. The data cleansing activities required with GDPR, therefore, creates an opportunity to clear out the clutter.
Kemp advises organizations to take a sequenced approach to compliance:
- Get senior management on board and create a steering committee.
- Have a data protection officer to comply with the legislation.
- Get legal on board to determine what the regulation means, and how it should be interpreted with your national law.
- Do data discovery to determine how big the problem is.
- Do a risk and gap analysis.
It’s also important to understand that execution is not just about technology; it’s about policy, procedure, and people.
The people piece is another side benefit to GDPR compliance. Compliance changes the culture of the company, says Elkina. People start thinking about privacy; they become champions. “Culture is extremely important,” she says. “Privacy is a social, a political, and an economic phenomenon.”
For more on GDPR’s expected effects on organizations, watch the webcast episode, GDPR Impact.