With the May 25th compliance deadline for the EU’s General Data Protection Regulation (GDPR) rapidly approaching, GDPR compliance and enforcement issues are top of mind for the Legal community. The adoption of the General Data Protection Regulation (GDPR) sets a high bar in the protection of personal data. The Regulation was designed to give citizens control of their personal data and address the disruption to data privacy fashioned by the rapid evolution of information technology over the past 20 years. The publication of the official text in 2016 provided organizations located in, and those doing business in the EU, time to review and prepare for the upcoming compliance deadline of May 25, 2018.
With the compliance deadline nearly upon us, recent Hyperion polling sought to measure the community’s readiness for GDPR and the broad new regulations it will usher in (Fig, 1, below).
While the overall picture shows a preparedness for classic approaches to network security, it is the newly introduced concepts of GDPR, like Right to Erasure and Breach Notification, that companies are struggling with the most.
FIG. 1 – AREAS OF GDPR READINESS
GDPR is Not an Extension of Existing Privacy Laws
One of the common misconceptions many US companies have of GDPR is that it is simply a new European version of the standard data privacy laws we’ve seen enacted across the US over the last few years. With this in mind it is unsurprising to see the highest areas of readiness align with technical competencies within existing infrastructure models.
However, as we detailed in GDPR and the Expanding Concept of ‘Citizen’, GDPR redefines data privacy and control as fundamental rights of EU citizens for both private (government identifiers) and public (emails and social media accounts) forms of data. This raises the bar significantly and mandates that companies be prepared not just to safely manage data within their own networks but be prepared inform and respond to regulators and individuals as required.
While there are a number of internal IT security requirements spelled out in the GDPR regulation, even there we continually find an overconfidence in how Corporate Legal Departments view their organization’s own level of security.
As we have noted consistently in Research over the past few years, there is a concern of an over-reliance on “data security” as the purview of IT’s general infrastructure – something managed by technical experts rather than General Counsel and Risk Officers, who arguably are better equipped to control sensitive content. GDPR is not limited to safeguarding against hackers or properly encrypting data files; it speaks directly to the custodial responsibilities of indexing, maintaining, reporting and deleting information as directed by the consent agreements with individual data subjects.
Foreign Concepts of GDPR
The newly introduced, and arguably foreign, concepts of citizen data rights that register as areas of least preparedness.
This is especially true of the new Right to Erasure and the understanding of personal data as a fundamental human right. As we highlighted recently in “Who Owns Personal Data: GDPR vs USA” the new laws present a particular challenge for US companies that routinely collect personal data in efforts to monetize market information for internal use and marketing algorithms. As expected, a number of prominent US tech companies are already fighting this in the EU Courts. In February 2018 Facebook, having already been fined in Spain, lost a major lawsuit in Belgium over EU privacy laws in a ruling that fined the company €250,000 a day until it complies with the GDPR. Google’s delisting lawsuit in France has been referred to Europe’s top court and is still awaiting judgment. We expect these lawsuits and others like them to continue as the true scope of these new laws are ultimately hammered out in the courts.
Similarly, US companies are not properly recognizing their responsibilities to notify and respond to individual citizens. Monetary penalties aside, some analysts are already theorizing the ways in which GDPR can be weaponized via aggressive campaigns from activists looking to inundate target companies with Access Requests in order to force an Information Commissioner’s Office (ICO) investigation. While larger tech-savvy companies may have the resources necessary to respond to hundreds of data requests, small or medium-sized companies will struggle to respond within the required timeframe.
The fact that nearly 1 in 5 companies don’t feel prepared at all for GDPR after more than two years since the law was enacted is cause for alarm. There are only two months remaining before the new laws come into effect, and any ill-prepared company will face an uphill battle and significant risk come May 25.
And the actual number of unprepared companies may even be significantly higher. A recent analysis from ITPRO found only 43 percent of businesses have taken the necessary actions to certify compliance. Part of this hesitation may be due to a “wait and see” approach for some Fortune 1000 companies who are choosing to see how the GDPR is actually enforced before they spend large sums of money re-engineering company infrastructure.
While this approach may have worked in the past, GDPR is an unprecedented approach to information regulation that will affect thousands of US companies regardless of preparedness. It is this newness and uniqueness to GDPR regulation that companies are underestimating, and that poses the greatest challenge to compliance.