The European Union (EU)’s General Data Protection Regulation (GDPR) is a significant responsibility for companies of all sizes, and compliance includes a long list of requirements. Does your company need to comply with the GDPR? The answer is likely yes if it processes, stores or transmits personal data for data subjects of the EU.
The main objectives of the GDPR include:
- Harmonizing data protection legislation across EU member states;
- Protecting fundamental rights and freedoms of EU citizens;
- Giving Data Subjects full control over their personal information;
- Strengthening the level of compliance with focus on policies and procedures;
- Increasing security and exposure of weak practices;
- Putting more emphasis on secure data flows; and
- Introducing a new enforcement regime with heftier fines.
Under GDPR, sanctions for getting data privacy wrong can be severe. The Data Protection Authorities for GDPR compliance can issue warnings and reprimands, impose bans on processing, suspend data transfers and order the correction of an infringement. Lesser violations can result in fines of up to 10 million euros or 2 percent of total worldwide turnover, whichever is greater. More serious violations can result in fines of up to 20 million euros or 4 percent of total worldwide turnover.
Despite the threat of severe sanctions for noncompliance, only 19 percent of European companies are ready for the full roll-out of the GDPR, according to a recent PAC/CXP Group study. The report, Moving Beyond the GDPR, is based on interviews with more than 200 senior business and IT executives at medium- to large-sized companies operating across manufacturing, services, transportation and the public sector in Europe.
Why would companies gamble on the chance they won’t be sanctioned or fined for noncompliance? Do companies realize that failing to meet compliance obligations can jeopardize customer trust and loyalty — and negatively impact reputation? What are the obstacles preventing organizations from complying with the GDPR? Answering this question is a good first step toward resolving this issue and meeting GDPR requirements.
Three Common Reasons for Noncompliance
The challenge for some companies is finding and implementing an approach that meets GDPR requirements while avoiding the common pitfalls associated with complex activities impacting business processes, budgets, technologies and other resources. Companies have historically underestimated the work required to achieve and maintain compliance, as many have with the Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH).
Similarly, company management may not fully appreciate the scope and magnitude of the data environment and the number of systems, applications, databases and technologies that need to be GDPR compliant. Remediation has the potential to be a costly endeavor. Ultimately, a cultural change can improve three common areas that often hinder companies from complying with the GDPR:
- Awareness and understanding;
- Accountability and responsibility; and
- Resources and support.
Let’s take a closer look at these three factors.
1. Awareness and Understanding
Companies may have heard about the GDPR, but they often lack awareness and a detailed understanding of what it takes to achieve and maintain compliance. According to a recent McKinsey report, GDPR Compliance After May 2018: A Continuing Challenge, few companies feel fully prepared for GDPR compliance, and as many as half of them expect gaps to remain after the effective date of May 25, 2018 — especially in some areas of IT. This illustrates a trend of minimal improvement regarding awareness and an indifference toward perceived risks of data breaches and sanctions or financial penalties.
To help drive GDPR compliance, companies should develop and document awareness and training responsibilities for key positions upon which the success of the program depends. The expectation of ensuring awareness throughout the company could minimally be placed on representatives in privacy, information security, human resources (HR), vendor management, audit, IT, legal and compliance. Confirming that stakeholders understand the GDPR implications and are aware of the consequences of failure can help push the company toward compliance.
2. Accountability and Responsibility
After becoming familiar with the GDPR requirements, companies often learn that it’s not just an information technology issue. The regulation does address securing information technology systems and infrastructure, but the responsibility of compliance does not solely lie with the IT department, since there are other non-IT requirements that should be engaged.
This point leads to another reason companies may lag in their compliance efforts: a lack of defined and assigned accountability and responsibility. Companies may not perform to their potential, standards might slip, activities may not get accomplished in a timely manner and morale could suffer. As a result, more of the responsibilities may weigh on the shoulders of a few who carry the full burden of GDPR compliance, and they might get overwhelmed because the effort has not been shared equitably.
On the other hand, companies with defined and assigned accountability and responsibility can look quite different. Accountability and responsibility enables management to create ownership for the company. This means developing ownership for problems, successes, goals, initiatives, people and results. This process sets the controls in place, drives the company and indicates what is and isn’t on track. In other words, accountability and responsibility can help companies understand:
- Whether they’re on the right course;
- Whether they’ve got the right people in the right places; and
- Whether they’re achieving goals.
With these outcomes, companies can gain perspective on instituting change and setting new objectives. According to Forrester’s report, Identify Companywide Roles and Responsibilities to Support Your GDPR Compliance Efforts, compliance will require a major cultural transformation — particularly for companies that believe protecting customer data is the exclusive responsibility of the security or legal team. While security and privacy professionals will lead the GDPR strategy, many business units have a relevant role to play, and effective collaboration requires clear rules of engagement so that each team knows the basic tasks it must accomplish.
If management does not have accountability and responsibility in its plan to become GDPR compliant, it can mean business as usual for all but a frustrated few. Accountability and responsibility help drive change. This means that each GDPR requirement, measure, objective, data source and initiative must have an owner. It is essential for companies to assign accountability for GDPR compliance with clear roles and responsibilities defined.
3. Resources and Support
Not having enough financial or staffing resources can hinder the ability of companies to reach GDPR compliance. Too often, we find that a company’s ambitions outstrip the resources it’s is willing or able to allocate to attain its goals. Organizations often underestimate the amount of resources necessary for execution. This includes not only the amount of time needed, but capabilities of the individuals involved in the projects, the associated costs and the risks inherent with improper execution.
In addition to the problem of having too few resources, the way in which limited resources are allocated can impact the ability to execute GDPR compliance efforts. It is easy to underestimate the difficulty of maintaining GDPR compliance because it is a continuous process that requires constant vigilance, which incurs ongoing costs.
When formulating a plan for achieving GDPR compliance, it is important to identify the resources and time frames you realistically need. Due to the sheer breadth and scope of GDPR compliance, a large part of the company may be impacted by these efforts. Therefore, navigating the waters of GDPR is a task best undertaken with adequate staffing, financial resources and support to assist in the journey.
One consideration is to enlist the help of those who have built and managed security, privacy and compliance programs and can make relevant and similar recommendations to meet GDPR requirements. This could mean the difference between costing and saving the company time and money. Costs can vary dramatically based on several factors, with the most significant being resolving the GDPR requirements in a practical manner, since there are myriad choices in the marketplace today. Experienced professionals can pull these choices together into an integrated solution while saving time and money in the process.
Another consideration is to operationalize the GDPR compliance initiatives. Many companies use the term “operationalization” to refer to the act of relating concrete measurements and action plans to overall strategic initiatives. This method of breaking down strategies into more attainable goals can be a necessity for proper execution. Allowing team members to see these operational goals on a consistent basis, such as in a balanced scorecard, can help create a uniform focus on execution.
Embrace the Business Benefits of GDPR Compliance
Despite the possibility of data breaches and the threat of potential fines, many companies are not prepared to meet the GDPR requirements. While it is tempting to focus on the downside of noncompliance, the reality is that there are many benefits to becoming compliant. The GDPR provides a comprehensive framework that details requirements interwoven with the policies, procedures and standards to make them effective. Strong governance and compliance cultures can support efforts to protect data and meet regulatory requirements.
By properly implementing the GDPR requirements, and achieving and maintaining compliance, companies can be better prepared to prevent and detect a host of attacks against their data, both at the network and physical levels. Compliance can help companies improve their security posture and lead to fewer data breaches. Ultimately, investing in GDPR compliance can be the start of an entirely new outlook on success.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.
Cloud Security and Compliance Leader, IBM Cloud