Five Shades Of Readiness: Are You Ready For GDPR?
Few business IT topics since the days of the Y2K have led to as much concern or confusion as GDPR. The General Data Privacy Regulation goes into effect on May 25, 2018. Businesses, governments and regulators have had two years to get ready for GDPR to become an enforceable regulation, but there is still genuine confusion about whether companies are actually ready.
How do you know if you’re ready? How do you know if you need to be ready? These are questions that could have some very serious financial implications for companies both large and small, no matter where the company is located.
If your business deals with personal data from a citizen of the EU, then your business falls under the requirements of GDPR. The regulation makes some distinctions based on a company’s role in handling data and how much data is handled, but it’s important to note that there is no exemption for small organizations: If your company (or other organization) collects or processes data from EU citizens located in the EU, then GDPR applies to you.
GDPR makes a distinction between those who gather personal information (“controllers” in the regulation’s language) and those that process the information (“processors” in the regulation.) It’s not that either gets a free pass from the regulation, but issues like permission to gather information and data portability are handled differently for the two types of organizations.
New Officer Readiness
One of the points at which size makes a difference is in the appointment of a data protection officer (DPO). Larger organizations, or organizations of any size that either collect or process large quantities of personal data, must appoint a data protection officer responsible for GDPR compliance.
The office of the DPO will be a significant investment for organizations because the individual in the office must be proficient at managing IT processes, data security (from prevention to response and remediation) and critical business continuity issues around collecting, storing and processing sensitive personal data. In virtually every case, this will mean establishing an office and a team rather than simply naming an individual for the purposes of completing a form.
GDPR’s foundation is the idea that individuals own their data. This means that policies and processes must be established to ensure that those who use a company’s sites, products and services give positive permission (not simply the opportunity to opt out) for their data to be collected and processed. It also means that they have the “right to be forgotten” — if your company is holding data on an individual, there must be a mechanism for that person to contact you in the event that they want the data deleted — and that instruction must be honored.
One of the interesting side effects of data belonging to the individual is that, in most cases, it must be portable. This will be especially important in applications like mail, messaging, task lists and calendars. If the individual asks that their data be provided to them or ported to another service or provider, there must be a mechanism in place for doing just that.
It’s obvious that, in order to comply with GDPR, data must be protected. One mechanism that the regulation accepts for protection is “pseudonymization” (i.e., altering the data so that, without additional information, it can’t be associated with a particular individual). Both encryption and tokenization are acceptable methods of protecting data within GDPR.
Pseudonymisation doesn’t remove data from GDPR’s protection. It is still considered personal data and still falls under the rules of the regulation. Encryption and tokenization can be used to show compliance with the provisions of GDPR, though, and are being adopted by many companies.
Failure to disclose data breaches in a timely manner, like the Equifax incident, is not uncommon. Under GDPR, companies must notify the supervisory authority (the government agency responsible for GDPR compliance) within 72 hours of becoming aware of a breach. If a breach could result in any adverse consequences to the individuals involved, then they must be notified promptly.
Notification is not required if the data has been encrypted, tokenized or otherwise obfuscated so that it’s not intelligible to the attacker. This can be another significant argument in favor of using these technologies for GDPR readiness.
Benefits Of Readiness
Most statements looking at the benefits of GDPR readiness focus on avoiding the significant fines that can come from a GDPR failure — fines that can reach €20 million or up to 4% of a company’s annual global revenues. A more important benefit, though, can come from customer or client confidence in the organization gathering their data.
A growing number of surveys and polls indicate that consumers care about the way their data is treated by companies. Being able to demonstrate through GDPR compliance that they are a responsible caretaker of personal data can be a competitive advantage for companies in the EU and around the world.