An increasing number of security and privacy leaders and vendors have asked us for our thoughts on the European Union (EU)’s upcoming General Data Protection Regulation (GDPR). In these conversations, I have found that a surprising number of leaders within global companies are taking a wait-and-see approach to the GDPR. They want to see how the actual enforcement of the regulations will take place.
Understandably, many vendors see the GDPR as a dynamic new market and are positioning themselves to help clients meet the requirements. If you haven’t been following the GDPR and the impact it will have on companies throughout the world, you should be. The law goes into effect in May 2018 and is designed to ensure that the personal data of anyone residing in the EU is protected.
The GDPR doesn’t just impact European companies. Any organization that stores, accesses, processes or uses EU residents’ personal data is subject to the regulation. Fines for violations have the potential to reach the billions for large, global companies — anywhere from 2 to 4 percent of a company’s gross revenue.
The Challenge of Distributed Data
Understanding corporate and customer data has become a priority for many companies. This means that an increasing volume of customer data and other sensitive information is often shared across departments. While this sharing enables groups to spot new trends and identify opportunities, it also means the data is more vulnerable to both cybercrime and accidental exposure.
Some organizations have implemented strict access controls to secure their data. The problem with this approach is that you may lose out on a wealth of important information that can be uncovered by opening data to a variety of teams. From a competitive perspective, you need to be able to run analytics on all kinds of data sets, such as customer data, product information and even human resources data, to adjust to changing market conditions. You also need to pay attention to and prepare for the GDPR to avoid huge fines and the loss of customer loyalty and trust that can result from a data breach.
Hurwitz & Associates distributed a short survey to assess company readiness for the GDPR. The results of the survey and conversations we’ve had with customers and vendors lead us to believe that customers are not prepared for the potential financial and reputational risk they face if they don’t take action soon.
What Is Protected Under the GDPR?
It’s not just passwords and ID numbers — all types of data that might identify a person are included in the regulation. These identifiers include names, identification numbers, Social Security numbers, location data, photos, online passcodes, email addresses, banking details, computer IP addresses and medical information. Even a broad list of characteristics specific to a person can qualify as personal information protected under the GDPR. These characteristics include physical, racial, cultural, ethnic, health-realted, sexual, genetic and biometric details.
One aspect of the GDPR that is gaining attention is the idea that companies may be liable for personal data leaks, even if they are breached by a criminal organization. For example, if a company fails to take appropriate measures to protect personal data, they may be fined, even if a third party illegally exposed the data.
In addition, organizations must have a strong understanding of where their data resides and what data they posses to comply with the GDPR. They must be mindful of the right to be forgotten provision, for example, and the need to notify impacted parties within a reasonable window of time in the event of a breach.
Hurwitz & Associates Survey Results
Hurwitz received responses from organizations in 11 countries, including U.S., U.K. and Ireland, France, Hungry, the Netherlands and Czech Republic. The majority of companies were in the technology, professional services and financial services industries. Here are the 10 most interesting findings from the survey:
- Survey participants are interested in the regulation. However, we think they are underestimating the time it will take to create a workable and actionable program.
- The participants are starting from a place of limited knowledge about the location of personal data within their systems.
- Few of these companies have a plan to keep track of the location of personal data.
- The majority of participants are aware of and motivated to begin preparing for the GDPR. Still, most use manual tools or lack tools entirely to identify and track risks to customer and personal data.
- The two top drivers for undertaking a data security and protection strategy are complying with industry regulations and increasing the organization’s overall data security and protection posture.
- Organizations are spearheading their preparation for the GDPR through a number of organizational departments, including security offices, data privacy offices, IT departments and legal departments.
- Companywide IT security organizations were most often tasked with ensuring both information security and data privacy.
- Participants believe that the biggest impacts of the GDPR on their organization will be the need to implement new controls and tools, and the need to review company contracts to ensure vendors adhere to the new regulations.
- The majority of participating organizations have no measurement procedure or are in the process of identifying tools to help measure and manage operational risk. For organizations that have systems in place to measure their security and privacy risk mitigation programs, many use a risk-based metrics approach. This approach looks at the asset value and risk of a particular incident. Very few companies use quantitative metrics, such as looking at the number of incidents open versus closed or assessing average dwell time.
- As Figure 1 shows, the companies we surveyed feel they still have a lot of work to do to document where personal data is held. Some do not have systems in place to document where personal data is housed. Others are working on creating policies to track and document where personal data is stored. About 25 percent of companies have well-documented records of where personal data is held.
Figure 1: How Do You Rate Your Organization’s Ability to Track Personal Data?
Plot Your GDPR Preparation Plan
Through a variety of interviews and conversations with organizations, Hurwitz & Associates developed three best practices for preparing for the GDPR:
- Work together. Privacy, security, legal, records, IT and project management teams in lines of business need to work together to make sure governance procedures, including security, privacy and protection, are followed within each business unit.
- Assess the impact. Throughout a project, conduct data privacy, protection and security assessments so leadership understands how personal data is being used and its potential risk of exposure.
- Identify data. Teams must identity what data will be used for new and ongoing projects. In addition, they should understand where personal data is being used so that it can be governed, secured, protected and used accordingly.
Organizations have a variety of approaches to ensuring data privacy, protection and security. Some large organizations leave it up to individual business units to develop a strategy, while others have a companywide governance strategy that is then implemented within the business. To meet the standard of the GDPR, we believe organizations will need to take a collaborative approach to data governance, including privacy, security and protection, across all departments.
Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsibility for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.