Over half (54%) of global businesses believe they are not ready for the coming GDPR, according to KPMG research released in April. That will inevitably leave many in a state of non-compliance by May 25. So what will happen? Is it already too late? Will erring firms be hit with mega-fines from day one? The good news is that compliance is a journey, not a destination.
Here are five common GDPR questions answered:
Am I going to get fined?
No. UK regulator the ICO has been very clear about this, stating: “it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.” That seems pretty unequivocal. But it’s also important to note that, while regulators will be looking to play an advisory and educational role — dangling the carrot of competitive differentiation rather than applying the stick of punitive fines — there will be limits.
In short, organisations which make no effort to get compliant after May 25 may be at risk of some kind of enforcement action or fine, especially if they handle sensitive personal data, or process it in potentially intrusive ways. As the ICO states: “It is not the size of the organisation that’s relevant so much as the risk that particular businesses and types of data processing pose.”
Is it too late to become compliant?
Definitely not. This is not a Y2K scenario. GDPR compliance is an ongoing process which will change and evolve over time. That means you have time, even if you start now. If regulators have seen you take concrete steps to begin this compliance journey, they are more likely to be assured you have the best interests of your customers and employees at heart. That also means, however, that you need a dedicated team and Data Protection Officer (DPO) in place to manage this on an ongoing basis.
Where do I start?
It can seem like a daunting proposition, but there are a few best practice steps you can take to kick things off. First, you need to understand what data you hold and where it flows; through and out of the organisation. So carry out a comprehensive data audit, then classify that data according to the risk it poses. After that it’s a case of mapping security controls and processes to that data to reduce risk. The GDPR builds upon previous European data protection regime, so if you comply with that you’ll already be a long way there. Also look to best practice frameworks like ISO 27001 and even the US NIST to help you, as they offer key best practices approaches to privacy, controls, risk management and more.
I’ve sent marketing opt-ins, is that enough?
Unfortunately not. The GDPR is about way more than obtaining explicit consent from customers to use their data. It’s also about accountability and data protection: ensuring you store and process that data in a secure and compliant manner. It’s important to remember that even if you meet right to be forgotten or data portability requests, you may still be required to retain some data/audit trails for other compliance and reporting requirements such as SOX. Data minimisation is a key principle of the regulation, but be mindful of where the boundaries are.
What about my suppliers?
This is currently the biggest and potentially most dangerous GDPR blind spot around. According to KPMG, only 10% of global firms have checked to see if their suppliers are compliant. Today’s complex supply chains, including potentially multiple of cloud and managed service providers, make this particularly onerous. But it’s also vital, given that many breaches happen when partner organisations are attacked and used as stepping stones into your network. Revisit all your contracts and audit suppliers for compliance.
Remember, it’s never too late to begin your compliance efforts: if you take the process seriously it could even be a great opportunity to differentiate and grow the business.
[su_box title=”About Bharat Mistry” style=”noise” box_color=”#336588″][short_info id=’105452′ desc=”true” all=”false”][/su_box]
Principal Security Strategist
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.