We all do it. We look at a deadline that’s months away and we tell ourselves we’ve got lots of time to think about it. In fact, that’s probably what you thought when you first heard about the European Union (EU) General Data Protection Regulation (GDPR), which takes effect May 25, 2018. Even now, it’s still months away — right?

So we procrastinate. Not because we’re lazy, but because we’ve got lots of other things to think about.

But while you’ve been confidently putting it off for that day when you imagined you’d have an hour or two of free time, here’s what you may wish you knew sooner.

View IBM Security’s interactive guide to GDPR readiness

Data Protection Is About to Get Personal

It’s likely that GDPR will fundamentally change the way organizations manage personal data — and its related security, privacy and breach notification practices. And that goes for organizations located outside the EU as well.

  • The penalties for noncompliance are steep.
  • There are tools available now to help you figure what you need to do to meet the regulation’s requirements and get you started on a road map to help you move forward.
  • There’s still time to take control of your situation — if you act now.

A Few Facts to Get You Up to Speed

GDPR applies to any organization — anywhere — that’s doing business with any of the 700 million individuals in the EU, regardless of its citizenship or where its data may be. In fact, it could be just visiting an EU country. What’s more, many of the regulation’s requirements may be extended to apply to individuals in neighboring countries of the European Economic Area (EEA) — including Switzerland, Norway, Iceland and Liechtenstein — where it’s likely they’ll adopt many of the same rules included in GDPR.

We know: You’re still thinking — hoping — you don’t need to be too concerned about GDPR right now. But before you make that decision, you might want to consider how GDPR will likely impact the following businesses:

  • Financial services companies will no longer be allowed to use automated credit report profiling systems to determine whether to accept or deny credit card applications without obtaining explicit consent (GDPR, Article 22, p. 147). Going forward, they may need to insert some sort of “middle man” into a process that had been fully automated.
  • E-commerce companies will have to follow strict opt-in and opt-out requirements (GDPR, Article 7, p. 123; Article 9, p. 125). And those opt-in rules will need to be explicit, while opting out must be made very simple.

What’s that? You don’t work in finance or e-commerce? Because we don’t want you to feel left out, here are some additional GDPR facts you might find interesting.

  • Any business collecting personal data (defined as names, email contacts, photos, IP addresses, credit card information and medical information, for example) on EU residents must inform those individuals of the purposes for which the data will be used and why it’s being collected — outside of any lawful and legitimate data processing conditions. Businesses are required to obtain and maintain explicit consent from every individual, especially for any automated profiling or data transfers. They also need to be able to retrieve the data from their systems within one month in order to meet data subject access requests.
  • Do you have employees working in Europe? Business partners or business contacts in Europe? As long as they’re living and breathing individuals on EU soil, these individuals are in scope. Surprised? Many folks are when they find out it’s not just about consumers.
  • Businesses will no longer be allowed to keep individual data for as long as they want. Instead, they’ll need to periodically review their data governance practices and delete or destroy any data that’s no longer necessary.

What If You Don’t Do Anything Now?

Here comes the scary part about procrastinating: GDPR mandates that organizations implement solutions and practices that ensure compliance with its rules. And if they don’t? Passive or willful noncompliance can carry penalties as high as 4 percent or up to 20 million euros of annual global revenues, whichever is highest. That could pose serious problems, especially because it was reported earlier this year that three-quarters of non-IT leaders at U.S. firms believe GDPR doesn’t apply to them.

What’s Everyone Else Doing?

As you might expect, we’ve found organizations based in Europe to be more actively involved in preparing their systems. Financial services firms — both within Europe and in the US — often appear to be ahead of other businesses in their preparations. But the one question we’re hearing over and over again is, “What should we be doing?” So don’t beat yourself up about not knowing the answer to that one.

Of course, everyone we talk to has his or her own point of view about all this. For example, one European bank is truly on top of its game. It understands what needs to be done and is taking steps to do it. A multinational logistics firm admitted to being confused and in need of help, asking what it should do next. And then there was the global airline that said it had heard of GDPR but was planning to take a wait-and-see approach — until it finds itself on the receiving end of an enforcement action.

Do It Now

So, if procrastination isn’t the best approach to preparedness, what is? As you may have figured out by now, we believe the wait-and-see strategy, also known as the “procrastinator’s special,” is a recipe for disaster. Sure, we know you’ve got plenty of other important things on your plate, but do you really want to take your organization down that road? We didn’t think so.

We think there’s a better approach. Set aside some time with some of the other people in your organization who need to be involved, and familiarize yourselves with GDPR and its requirements. Explore the resources we’ve suggested here to read more about what you need to do and when you need to do it.

And stay tuned. We’ll be adding more insights and ideas for you to ponder in the months to come, because no matter what you tell yourself, May 25, 2018 isn’t really that far off.

Click here to learn more about how IBM Security can help you navigate the journey to GDPR readiness or contact Adam Nelson and Cindy Compert.

View IBM Security’s interactive guide to GDPR readiness

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

More from Banking & Finance

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.…

SEC Proposes New Cybersecurity Rules for Financial Services

Proposed new policies from the Securities and Exchange Commission (SEC) could spell changes for how financial services firms handle cybersecurity. On Feb. 9, the SEC voted to propose cybersecurity risk management policies for registered investment advisers, registered investment companies and business development companies (funds). Next, the proposal will go through a public comment period until May 9.  The Importance of Cybersecurity in Finance The 2021 X-Force Threat Index found that financial services were the most targeted industry. Manufacturing beat out…

Top Security Concerns When Accepting Crypto Payment

From Microsoft to AT&T to Home Depot, more companies are accepting cryptocurrency as a way to pay for products and services. This makes perfect sense as crypto coins are a viable revenue source. Perhaps the time is ripe for businesses to learn how to receive, process and convert crypto payments into fiat currency. Still, many questions remain. How can you safely enable customers to pay with Bitcoin or other digital currency? What are the security risks that come with cryptocurrency? Let’s…