We all do it. We look at a deadline that’s months away and we tell ourselves we’ve got lots of time to think about it. In fact, that’s probably what you thought when you first heard about the European Union (EU) General Data Protection Regulation (GDPR), which takes effect May 25, 2018. Even now, it’s still months away — right?

So we procrastinate. Not because we’re lazy, but because we’ve got lots of other things to think about.

But while you’ve been confidently putting it off for that day when you imagined you’d have an hour or two of free time, here’s what you may wish you knew sooner.

View IBM Security’s interactive guide to GDPR readiness

Data Protection Is About to Get Personal

It’s likely that GDPR will fundamentally change the way organizations manage personal data — and its related security, privacy and breach notification practices. And that goes for organizations located outside the EU as well.

  • The penalties for noncompliance are steep.
  • There are tools available now to help you figure what you need to do to meet the regulation’s requirements and get you started on a road map to help you move forward.
  • There’s still time to take control of your situation — if you act now.

A Few Facts to Get You Up to Speed

GDPR applies to any organization — anywhere — that’s doing business with any of the 700 million individuals in the EU, regardless of its citizenship or where its data may be. In fact, it could be just visiting an EU country. What’s more, many of the regulation’s requirements may be extended to apply to individuals in neighboring countries of the European Economic Area (EEA) — including Switzerland, Norway, Iceland and Liechtenstein — where it’s likely they’ll adopt many of the same rules included in GDPR.

We know: You’re still thinking — hoping — you don’t need to be too concerned about GDPR right now. But before you make that decision, you might want to consider how GDPR will likely impact the following businesses:

  • Financial services companies will no longer be allowed to use automated credit report profiling systems to determine whether to accept or deny credit card applications without obtaining explicit consent (GDPR, Article 22, p. 147). Going forward, they may need to insert some sort of “middle man” into a process that had been fully automated.
  • E-commerce companies will have to follow strict opt-in and opt-out requirements (GDPR, Article 7, p. 123; Article 9, p. 125). And those opt-in rules will need to be explicit, while opting out must be made very simple.

What’s that? You don’t work in finance or e-commerce? Because we don’t want you to feel left out, here are some additional GDPR facts you might find interesting.

  • Any business collecting personal data (defined as names, email contacts, photos, IP addresses, credit card information and medical information, for example) on EU residents must inform those individuals of the purposes for which the data will be used and why it’s being collected — outside of any lawful and legitimate data processing conditions. Businesses are required to obtain and maintain explicit consent from every individual, especially for any automated profiling or data transfers. They also need to be able to retrieve the data from their systems within one month in order to meet data subject access requests.
  • Do you have employees working in Europe? Business partners or business contacts in Europe? As long as they’re living and breathing individuals on EU soil, these individuals are in scope. Surprised? Many folks are when they find out it’s not just about consumers.
  • Businesses will no longer be allowed to keep individual data for as long as they want. Instead, they’ll need to periodically review their data governance practices and delete or destroy any data that’s no longer necessary.

What If You Don’t Do Anything Now?

Here comes the scary part about procrastinating: GDPR mandates that organizations implement solutions and practices that ensure compliance with its rules. And if they don’t? Passive or willful noncompliance can carry penalties as high as 4 percent or up to 20 million euros of annual global revenues, whichever is highest. That could pose serious problems, especially because it was reported earlier this year that three-quarters of non-IT leaders at U.S. firms believe GDPR doesn’t apply to them.

What’s Everyone Else Doing?

As you might expect, we’ve found organizations based in Europe to be more actively involved in preparing their systems. Financial services firms — both within Europe and in the US — often appear to be ahead of other businesses in their preparations. But the one question we’re hearing over and over again is, “What should we be doing?” So don’t beat yourself up about not knowing the answer to that one.

Of course, everyone we talk to has his or her own point of view about all this. For example, one European bank is truly on top of its game. It understands what needs to be done and is taking steps to do it. A multinational logistics firm admitted to being confused and in need of help, asking what it should do next. And then there was the global airline that said it had heard of GDPR but was planning to take a wait-and-see approach — until it finds itself on the receiving end of an enforcement action.

Do It Now

So, if procrastination isn’t the best approach to preparedness, what is? As you may have figured out by now, we believe the wait-and-see strategy, also known as the “procrastinator’s special,” is a recipe for disaster. Sure, we know you’ve got plenty of other important things on your plate, but do you really want to take your organization down that road? We didn’t think so.

We think there’s a better approach. Set aside some time with some of the other people in your organization who need to be involved, and familiarize yourselves with GDPR and its requirements. Explore the resources we’ve suggested here to read more about what you need to do and when you need to do it.

And stay tuned. We’ll be adding more insights and ideas for you to ponder in the months to come, because no matter what you tell yourself, May 25, 2018 isn’t really that far off.

Click here to learn more about how IBM Security can help you navigate the journey to GDPR readiness or contact Adam Nelson and Cindy Compert.

View IBM Security’s interactive guide to GDPR readiness

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

More from Data Protection

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today