By Todd Fitzgibbon
Will you be ready for the GDPR deadline? Attendees at the RSA conference last week were abuzz with the looming May 25 th effective date and the associated GDPR fines. While many of the world’s largest banks and other organizations responsible for data security and safeguarding personally identifying information are ready, the consensus is that most of the rest of us are not. In fact, one of the analysts I met at the conference said she thought reports stating that 60 percent of companies are likely to miss the deadline were overly optimistic. In reality, that number is probably closer to 80 percent, in her opinion.
So what’s holding us back collectively from meeting the GDPR deadline?
For one, it’s the GDPR itself. As one of the other RSA attendees said to me, “it’s like an airplane trying to take off on a runway that’s still being built.” In a lot of ways, he hit the proverbial nail on the head. Take for instance the GDPR requirement that in the event of a personal data breach, organizations have 72 hours to notify the supervisory authority and those EU residents whose data may have been compromised. The clock starts ticking as soon as the breach is detected. But, the problem is, those local authorities are not explicitly identified and member states have until May 25 th to inform the European Commission of the details—so to whom do you report the breach? You can see how quickly our airplane runs out of GDPR runway.
Of course, this is not meant to suggest that you shouldn’t work towards compliance simply because there are details yet to be ironed out. Even though the countdown clock is moving ever closer to the May 25 th deadline, it’s not too late to get started. It’s in your organization’s best interest to work towards GDPR compliance and show that you are making progress, something that is typically well-received by regulators. It’s unlikely that these supervisory authorities will initially bring down the hammer of enforcement for GDPR fines if you can show that you are working toward complying with the principles of transparency and data protection at the core of GDPR.
What are the GDPR Fines?
The risks of not doing anything are potentially too great—fines up to the greater of €20 million or 4 percent of your global annual revenue.
However, the opportunity cost associated with non-compliance is potentially even more costly than these fines. GDPR-compliant organizations will gain a competitive advantage when being evaluated by partners as a potential vendor, they’ll be favored by end-consumers, and they’ll even have their pick of higher caliber EU employees who expect their employers to protect their data and privacy.
I recognize that the challenge before you is a big one. Some of the heavy lifting around GDPR is analogous to someone coming into your house and asking you to know how many pairs of socks you have, what colors they are, and where they are all currently located. Anyone with a busy family knows what a Herculean task that would be, and it’s similar to what your organization will be asked about customer data. Do you know what data you have, where it’s stored in your organization, and who’s using it for what purpose?
Recommendations for meeting the GDPR deadline
Rsam’s recommendation is that companies start by gaining an informed understanding of where your potential GDPR gaps exist. By combining Rsam’s Risk and Compliance Assessments Module with an out-of-the-box GDPR Control Library, organizations can perform GDPR risk assessments against their various entities and the assets on which they rely.
This will help you assess departments and business units to determine their readiness to meet GDPR requirements; leverage questionnaires, assessments, and control tests to identify gaps; and address and manage these gaps with powerful workflow and reporting features.
By starting with an effective GDPR risk assessment , you’ll have a leg up when it comes to reporting GDPR readiness to stakeholders, prioritizing and justifying GDPR investments, and tracking your progress as you execute on a well-informed GDPR compliance road map.
Do you hear that ominous ticking? In the time it took you to read this blog entry, you’re that much closer to the deadline. We’re happy to help if you need it when assessing your readiness.