GDPR is Around the Corner. How Prepared Are You?

GDPR, the EU General Data Protection Regulation, takes effect May 25, 2018. It is anticipated to be major data privacy disruption and also huge benefit to consumer data privacy protection worldwide.

While companies within the EU will be directly affected, tens of millions of companies will need to comply with GDPR. This includes EU company headquarters and foreign entities doing business in and with the EU.

AccessData, the forensics champion founded in 1987, sponsored a webinar series with GDPR as its third topic. Matt Kelly, host and CEO of Radical Compliance, was joined by Zoltan Precsenyi, director, government affairs for EMEA with Symantec in Belgium, and Catherine Castaldo, global chief privacy officer, with Nuance Communications and formerly with General Electric.

“Many executives have not been ready to jump on board the GDPR train until now,” said Catherine Castaldo, with Nuance Communications. “We’re seeing corporations with extensive global operations struggling to comply with GDPR.”

GDPR covers the full spectrum of data from creation through lifecycle. Within the regulation, a complete rulebook guides data governance while covering how data is managed, processed, protected. GDPR also suggests ways to manage data after it has run its course.

The GDPR Bill Of Rights

A variety of consumer rights is built within the regulation. European consumers have the privilege of learning these rights to ensure personal data protection.” As Zoltan Precsenyi, of Symantec, warns, consumers can “risk ignorance” if they don’t learn their rights under the regulation.

Each consumer is protected by a lengthy list of provisions, including:

• Be informed and have access to data collected about them
• Rectify incorrect data
• Restrict processing and portability of data from where it’s stored
• Erase personal data or be forgotten

“All EU residents must be aware of GDPR and be able to invoke their rights as private citizens,” said Precsenyi. “People have a fundamental right to free privacy claims without delay. GDPR has an extensive notion of personal data tied either directly or indirectly to an individual that goes farther than business intelligence.”

Symantec research shows that 20 percent of companies are confident in their preparation for GDPR by the May 2018 deadline, while 80 percent lag behind.

“There are many challenges with the consumer rights being written into the regulation, and it’s a big ask,” stated Castaldo. “What’s difficult for data privacy and information governance experts to comprehend is how to track managed data of all kinds, what processes to put around it, and grasping how much there is to process. Many boards struggle to understand this complexity.”

GDPR Non-Compliance Offers Great Penalty

There are two categories of sanctions with associated fines associated for non-compliance. Companies may fall into minor or technical and major violations. Each can range from about €12 million to €20 million ($15 to $24 million USD) and above. Should individuals suffer damages from non-compliance, untapped liability may ripple across the value chain, adds Precsenyi.

Castaldo says that although GDPR is oriented to privacy, it mandates a data governance program. Companies can begin with the basics of data mapping, data sources and collection points.

“Knowing what data you have is the first place to start. After that, map out where it is and how it’s collected,” said Castaldo. “Find the gaps and look for things to update. Leverage what you have, get your house in order now.”

Every aspect of compliance and data processing activities should be documented so companies are well prepared. Specific document types may be written privacy policy, privacy impact assessment, records associated with minor incidents and a complete log of demonstrated compliance track record.

Precsenyi offers a slightly different perspective.

“Risk assessment is not the wheel that needs re-inventing,” he says. “These methodologies are relevant, but GDPR requires more homework because it focuses on one type of risk and any harm to processing of information about individuals. I encourage data mapping against consumers, and always do the right thing and demonstrate that you did.”

Mounting Pressure on Third-Party Vendors

Both Castaldo and Precsenyi agree that GDPR brings a level of pressure to third-party vendors and smaller companies. Independent oversight may be helpful in preparing vendors and companies for GDPR, but the biggest task at hand is wrapping heads around the complexity of the regulation.

“There’s no silver bullet,” said Precsenyi, “experience may cull the crop of vendors that are prepared to meet GDPR directly, and a lot of that preparedness depends on the internal privacy champions.”

GDPR impacts all business functions where there is personal data. The structure and size of an organization influences how well it organizes compliance programs relating to GDPR. Certainly, success begins from executive-level endorsement and sponsorship of the effort. Beyond that, a senior coordinator needs to hold people accountable to the action plan.

Looking ahead, each company must quickly ascertain its resources to assign a chief data privacy officer or outsource the function to be in compliance. What’s likely keeping executives up at night, however, is not whether to hire but where to find the talent.

Hear the AccessData GDPR webinar hosted by Matt Kelley of Radical Compliance and his guests Zoltan Precsenyi and Catherine Castaldo below.