It feels like Y2K all over again. We are less than one year until the impact of the GDPR is realized, no one is certain what will happen, and everyone is taking a different approach to mitigation.
In April 2016, the European Union introduced the General Data Protection Regulation (GDPR), and it goes into effect in May 2018. The GDPR aims to “create more consistent protection of consumer and personal data across EU nations.” (https://digitalguardian.com/blog/what-gdpr-general-data-protection-regulation-understanding-and-complying-gdpr-data-protection) One way to summarize the requirements is to say that companies that have operations or do business with EU citizens must know where EU citizens’ data in their care is located, ensure it is being handled appropriately, remove the data when requested and notify citizens’ promptly when their data has been compromised. As an individual, this seems an obvious expectation, but working in a company you learn information has a way of spreading among people and systems and trying to control it is very difficult.
“What’s most worrying about the findings,” comments Matt Lock, director of sales engineers at Varonis, “is that one in four organizations doesn’t have a handle on where its sensitive data resides. These companies are likely to have a nasty wake-up call in one year’s time. If they don’t have this fundamental insight into where sensitive data sits within their organizations and who can and is accessing it, then their chances of getting to first base with the regulations are miniscule and they are putting themselves firmly at the front of the queue for fines.” (http://www.securityweek.com/survey-shows-disparity-gdpr-preparedness-and-concerns)
Any company found to be in violation of the regulation, faces fines and penalties up to 4% of their global annual revenue. It is this penalty that has companies taking note and working hard to ensure compliance. But not everyone is taking it seriously, or at least not everyone has started.
A recent survey conducted on behalf of Varonis highlights a disparity between the priorities of company executives and those responsible for ensuring compliance. Among the 500 IT decision makers surveyed, 75% “face serious challenges in being compliant with the EU GDPR” by the deadline. (http://www.securityweek.com/survey-shows-disparity-gdpr-preparedness-and-concerns) Not surprising when you learn 42% of company executives do not view compliance by the deadline as a priority. Where does this disparity come from?
The survey included companies from the UK, Germany, France and the US. These companies undoubtedly have different experiences with regulators based on their geographic locations and their operating industries. Some regulators tend to be collaborative in finding a resolution while others tend towards punitive actions. We don’t yet know how EU regulators will apply the GDPR penalties. 92% of respondents expect that a specific industry “will be singled out as an example in the event of a breach” (http://www.securityweek.com/survey-shows-disparity-gdpr-preparedness-and-concerns) with 52% of UK respondents predicting banking, while France and Germany overwhelmingly predict a breach in technology and telecommunications to be the example.
Regardless of who is first, the scale of the first penalty will be the signal to company executives on how much they should devote to compliance. And as with all business decisions, it is one of the minimizing costs to maximize profitability.
56% of UK respondents believe the GDPR will increase complexity for IT teams and result in higher prices for customers with 22% seeing no benefit to their business. (https://www.infosecurity-magazine.com/news/uk-it-leaders-gdpr-will-drive-up/) With these kinds of numbers, it will be difficult to get executive support for compliance efforts. However, 35% of companies surveyed believe GDPR compliance will be beneficial with better protections for personal data being the biggest improvement. While the GDPR only addresses personal information, the exercise will help companies understand the effort required to manage data better and some may see unexpected benefits.
Leading up to January 1, 2000 there were many similar stories about companies taking different approaches to Y2K remediation. Some had enormous, expensive projects running for years, others scrambled at the end of 1999 while a few focused on response planning and hoped for the best. The requirements of the GDPR are well documented, but the likelihood and size of penalties are still unknown. Different companies take different approaches based on industry, geography, and individual risk tolerances. The only certainty is that everyone is watching for the first big consumer data breach in the EU in 2018 and hoping it isn’t theirs.