Much has been written in this publication about the EU\u2019s General Data Protection Regulation (GDPR). According to PWC, CIOs are allocating millions of dollars from their budgets to GDPR. Yet Gartner\u2019s Bart Willemsen says, \u201c97% of companies did not have a definitive strategy as of late last year,\u201d and \u201c23% of companies actually expect to be sanctioned or to take remedial action.\u201d I was not surprised by Bart\u2019s numbers because in a recent conversation with the Executive Director of the Privacy and Big Data Institute, Dr. Ann Cavoukian, she said that \u201calthough most organizations expect a grace period after the regulation becomes effective, regulators believe enough time has been made available to comply and enforcement will commence on May 2018\u201d. One CIO that I know said recently, \u201cIt is unfortunate that many are not studying up on GDPR because the impact of not doing so is so material to their businesses.\u201d\nWhile it is tempting to think the GDPR only matters for risk officers in European companies, this would be a mistake. GDPR demands the attention of multiple corporate functions for any business worldwide that processes EU citizen data. In terms of breadth, the regulation stipulates that EU citizens have the \u2018right to be forgotten\u2019. Google has already processed 1.7 million requests to be forgotten and over 760,000 links have been removed because of GDPR\u2013 think about the potential cost and havoc this volume of requests could create for traditional industries like a banking.\n\n[ Learn more about GDPR requirements and deadlines | Get the latest insights by signing up for our CIO newsletter. ]\n\nSo, what are the impacts of the GDPR?\nThe regulation gives individuals more rights and control over their personal information and how it is processed. Organizations are required to, \u201cimplement appropriate technical and organizational measures to ensure security is appropriate to the risk.\u201d GDPR mandates that organizations must know where and how the private data of European citizens is stored and accessed, then prove it is appropriately protected, \u201cby design and by default,\u201d throughout its lifecycle with, \u201cthe existence of appropriate safeguards.\u201d Organizations are also required to create and certify the enforcement of \u201cCodes of Conduct\u201d for the appropriate use and protection of private data. In the event of data loss, brands who have failed to adequately protect the rights of individuals must provide breach notification, therefore penalties are not only financially steep at 4% of annual, global turnover, but also extremely public.\nWhat is needed to comply?\nComplying with the GDPR requires people, process, and technology. Organizations need to establish a team with shared goals and responsibility for achieving GDPR compliance. Chartering this team involves functions from business development, risk and compliance, privacy and information management, the emerging CDO office, and the appointment of a Data Protection Officer (DPO). Success is built upon this team working effectively together and utilizing established best practices such as the Data Governance Institute\u2019s (DGI) Data Governance Framework and Dr. Ann Cavoukian\u2019s principles of Privacy by Design (PbD).\nThe GDPR mandates the protection of personal data \u2018by design and by default\u2019, a right that closely aligns with PbD:\n1.\u00a0Proactive not Reactive\nMeeting this mandate means privacy cannot be an afterthought. It needs to be a consideration during all possible uses of information and enterprise policies should govern data at all touch points. Organizations need to focus on privacy protection throughout the data flow, both internally and externally.\n2.\u00a0Privacy as the default\nEnterprises need to compartmentalize data access, and set privacy protection as a default. They need to ask questions of data owners: What are the consequences if data is exposed? What are the financial liabilities of exposure? What are the reputational impacts? By asking these questions, IT and the business can share responsibility for the creation of privacy policies and developing appropriate GDPR compliant safeguards in answer to them.\n3.\u00a0Privacy embedded into design\nOrganizations must prove that the private data of European citizens is appropriately protected throughout its lifecycle, which means that privacy needs to be a requirement. Privacy protection is most effective and the least disruptive when it is built in rather than bolted on as an afterthought, so organizations need to systematically recognize it as integral during the design phase of all new projects.\n4.\u00a0Full functionality\nFull functionality means that all legitimate interests should be accommodated in a \u201cwin\/win\u201d versus zero-sum manner. Privacy by Design aims to avoid the notion of pitting business ends against each other\u2014e.g. privacy vs. security. It aims to demonstrate that you can use data and protect data at the same time.\n5.\u00a0End-to-end security\nData privacy is bigger than any single project or application alone; it needs to consider the use of information wherever it goes and the emphasis needs to be on the data itself as well as all its touch points. This means knowing where all data exist within an enterprise so it can be thoroughly accounted for and appropriately protected. \u00a0\n6.\u00a0Visibility and transparency\nVisibility and transparency are as essential to consumer trust that their personal information is protected from threat as well as misuse, as it is to GDPR compliance. Organizations need codes of conduct based privacy policies that hold business units accountable for information usage and processing.\n7.\u00a0Respect for user privacy\nOrganizations need to make data privacy and security business priorities integrated into enterprise culture and management. Part of this process is establishing explicit data owners and involving them in the implementation of policies that have at their core respect for data subjects\u2019 and their personal information. This also involves giving data subjects the ability to actively manage their own data by offering consent, accuracy and access.\nAchieving the above is impossible to achieve on an application by application basis in today\u2019s complex, extended IT ecosystems. One CIO put the problem to me this way: \u201cYou know those flight maps in the airline magazines? Those are our data flow maps; we have in our environment data flying all over the place.\u201d\nThe goal of an organization\u2019s people, process and technology should be to enable holistic protection of all personal information within systems, which means determining what data should be protected and enforcing policies to consistently protect it as it flows throughout the enterprise, not just at the application level.\nDealing with the dataflow\nOrganizations need technology that enables them to achieve what Michelle Dennedy, Cisco\u2019s Chief Privacy Officer and co-author of The Privacy Engineer\u2019s Manifesto calls \u201cdata-centric and person-centric\u201d data protection.\nGDPR compliance needs to be built upon an all-encompassing discussion about protecting personal information \u2018by design and by default\u2019 that results in privacy protection as a corporate value, interwoven with everything the business does. This is a major shift for most organizations, requiring the shared development of data governance, privacy and protection policies within the community served, in combination with technical solutions for their enforcement.\nTechnology choices\nFor some, disk encryption may seem like an appropriate answer but it is a high risk, all or nothing approach \u2013 recent breaches have taken advantage of those with privileged access.\nOrganizations need data protection that enables differentiated rights of access to data, internally and externally, by context. GDPR mandates appropriate safeguards for personal data which, \u201cmay include encryption or pseudonymization.\u201d Pseudonymization is defined by the International Association of Privacy Professionals (IAPP) \u201cas the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately.\u201d IAPP says, importantly, pseudonymization may significantly reduce the risks associated with data processing, while also maintaining the data\u2019s utility. For this reason, it says that GDPR creates incentives for controllers to pseudonymize the data that they collect. Although pseudonymous data is not exempt from the regulation altogether, GDPR relaxes several requirements on controllers that use the technique.\nData protection clearly needs to provide granular access control while creating minimal operational and performance impact for it to be fully embraced by business leaders. By governing and protecting data itself and controlling access to it based on the context of a user\u2019s rights, role or need, privacy protection can be automated enterprise wide, regardless of where information flows, is used, or rests.\nParting thoughts\nIt is time for CIOs to get serious about protecting data and respond effectively to GDPR \u2013 the consequences of noncompliance are too great not to act today \u2013 further delays might even cost CIOs their job.