If your company does business in any of the 28 member countries of the European Union, privacy is about to become a fierce preoccupation for the C-suite, thanks to the EU’s forthcoming General Data Protection Regulation (GDPR).
According to a recent Trend Micro survey, 79 percent of business leaders who have read the requirements of the GDPR are confident their data is secure enough. Yet, the same survey reveals that nearly 67 percent of the respondents are unaware of the extent of the GDPR fines: Companies found to be in violation of the GDPR could be fined up to 4 percent of their global annual revenue or 20 million Euros, whichever is higher.
That doesn’t include other types of fallout, such as the costs to correct noncompliant processes and remediate the company’s reputation, the unfavorable media attention and the potential drop in stock prices for public companies. After reporting a large data breach with lots of personally identifiable information (PII), Equifax stock prices dropped 14 percent in one day.
Trend Micro also turned up what appears to be “widespread confusion as to what personally identifiable information needs to be protected under the GDPR.” For example, 42 percent of the surveyed businesses don’t know that email marketing databases contain PII, the report found. Trend Micro and its partner Opinium conducted more than 1,100 online interviews with IT decision makers from businesses based in 11 countries, including the United States, United Kingdom, France, Italy, Spain, Netherlands, Germany, Poland, Sweden, Austria and Switzerland in May and June.
GDPR Deadline Looming
Gartner has predicted that more than 50 percent of companies whose business is affected by the GDPR will not be in full compliance with its requirements by May 25, 2018, the date the GDPR goes into effect. Gartner also projects that “before 2020, we will have seen a multimillion Euro regulatory sanction for GDPR noncompliance.”
Forrester analyst Enza Iannopollo, speaking in a telephone interview for this story, provided a current estimate of likely compliance with the EU’s General Data Protection Regulation. “The GDPR is a complicated regulation that entails a revamped risk assessment and many changes to business process, technology and other factors. It can also be expensive to prepare for.
“A large number of European companies have been on task in preparation for the new regulation,” Iannopollo continues. “Outside of Europe, in the U.S. for example, work has been somewhat delayed. The percentage of U.S. companies that will be prepared for the GDPR will be significantly less than that of the Europeans. Worldwide, probably something like 1 in 3—just 33 percent—of companies that do business in the EU will be approaching compliance with the GDPR when the privacy regulation goes into effect next May.”
Iannopollo does not expect any leniency from the EU, especially toward companies that are not making much of an effort.
Gartner analyst Bart Willemsen points out in a recent Gartner General Data Protection Regulation FAQ that, as a data protection regulation, the GDPR prescribes few technological requirements. Rather, the emphasis is on identifying privacy risk. In other words, the EU is identifying privacy vulnerabilities, not specifying the tools or processes to secure them with. Willemsen writes: “There is still a lack of detailed operational regulatory guidance, while vendors and internal business stakeholders overwhelm security and risk management leaders with their own interpretation[s].”
Willemsen makes two recommendations on how to prepare for the GDPR:
- Obtain board approval for a remediation plan to prepare for sustainable compliance; and
- Direct legal counsel to provide [a] definitive interpretation of GDPR texts and assist in identifying operational requirements and demands.
Your organization is very likely going to need help getting up to speed on GDPR. My recommendation is to identify that help as soon as possible and get started on this if you have not done so already. The potential negative repercussions for noncompliance are significant.