Well, it’s finally That Month. On May 25th, the General Data Protection Regulation (GDPR) will come into effect. Guess what? Hardly anyone is ready for it.
GDPR is set to be the most stringent privacy regulation ever, and it affects more than just companies in Europe. Anyone handling data on people living in the EU must comply.
Experts have been warning for at least a year that to comply with GDPR companies will to have to do some heavy lifting. With less than a month to go, though, the numbers suggest that industry is far behind. GDPR readiness surveys indicate that only 7% of companies are fully compliant. As spring finally pulls everyone from hibernation, thousands of managers are emerging from compliance meetings, blinking with shock, and saying “we have to do what, now?”
At SecTor in November, we sat down with the conference’s co-founder Bruce Cowper for a recap on what’s coming down the pipe and what people should be doing about it.
Under GDPR citizens will get more data privacy rights than they had before, and companies will be more accountable if they fail to honour them. In the past, individuals could ask what data a company had about them and how it used that information. Now, they get to demand a machine-readable copy of their data to take elsewhere as part of GDPR’s data portability provision.
One of the most significant parts of GDPR is its treatment of consent. In the past, companies required opt-in consent from individuals whose sensitive data they stored, but they could collect consent once for a range of activities. Under GDPR, they will be forced to gather permission for each discrete thing that they use the data for and to make information about those activities easy for individuals to understand. That means dropping the legalese and creating clear, readable instructions that a layperson can digest easily.
Those in the EU also get the right to withdraw that consent as quickly as they grant it. They can freeze an organization’s use of their data and even erase it entirely if they are not happy with how the company is treating it, in a clause commonly called the ‘right to be forgotten.’
The EU has tangled with the right to be forgotten before. The EU Court of Justice ruled in 2014 that search engines should erase irrelevant or outdated data from search results in the EU. Its phrasing left a gap for companies like Google – which has since received 650,000 erasure requests – to reject them, claiming they are in the public interest. GDPR will force the issue. It recently lost a case brought by a businessperson requesting that his data be erased, in what could be a sign of things to come.
GDPR brings plenty of other requirements, too. It makes data breach reporting to the local regulator mandatory within 72 hours of becoming aware, and also forces notification of the affected individuals in high-risk instances. These requirements would probably have companies experiencing recent data breaches, such as Equifax and Uber, on the wrong side of the legal line.
The Regulation also forces mandatory data privacy impact assessments on organizations processing high-risk data; Companies must prove that they have through a clearly-defined set of processes to ensure that they are protecting people’s data.
Many companies will need to show that they have appointed an individual – known in GDPR as a data protection officer – to look after these privacy requirements. That DPO can be an existing employee, but they must be an expert in data protection. No adding ‘DPO’ to the office manager’s title here unless you can show they know what they’re doing.
So with less than a month left, what should latecomers to the party do? Data discovery should be at the top of your list because you can’t manage what you don’t see. Then you have to look at how you’re handling that data internally, to see if you can identify gaps in the process that could make you liable.
Finally, Bruce talks about the people and process side of the equation. Technology will get you so far in your journey to GDPR compliance but understanding how your employees handle private information and how you deal with customers in areas like gathering consent are crucial.
If you haven’t nailed your GDPR requirements yet, then it’s time to call an expert. Before picking up the phone, get some more in-depth guidance from our other blog post on this topic from just over a year ago. It includes links to a 12-step guide from the UK’s Information Commissioner’s Office.