The GDPR affects organisations globally because companies with a European presence will be subject to its requirements, as will any company with a website offering goods or services to EU citizens – including cloud services developed by US-based organisations.
This is vastly different from the current law, which most courts agree only maintains jurisdiction over companies with an established business in a particular state. The regulation also poses fines for data breaches up to 4% of annual global revenue, as well as requires privacy impact assessments (PIA), privacy and security by design, inventories and data mapping of personal information across business systems, appointments of data protection officers (DPO), and evidence that organisations are performing all of these actions.
>See also: Have you been caught unaware by the EU GDPR?
Complying with the GDPR will be no small task for most organisations as it will require a major shift – even for those that already have a privacy program. New obligations mean that those waiting for the law to come into effect to take action are already too late.
Studying global preparation for GDPR
In order to assess global readiness for GDPR, AvePoint conducted a survey with the Centre for Information Policy Leadership (CIPL) to ask companies to assess their preparation and document their concerns.
The first-ever benchmark report was released at the International Association of Privacy Professionals (IAPP) Data Protection Congress on November 9, 2016 in Brussels.
The objective of the survey was to help organisations assess and prepare their privacy and change management programs for GDPR implementation. Our questions focused on key change areas and topics of the GDPR that relate most to everyday business and compliance concerns.
The survey respondents totalled 223, with predominantly multinational organisations. According to responses, 93% of organisations operate in Europe, more than half operate in the US, and less than half operate in South America and Asia.
The survey revealed that most companies have started the process of assessing the impact of GDPR on their operations, devising an organisation-wide implementation, and evaluating the need for additional resources. Findings pointed to the following key trends.
GDPR impact
Respondents believe that requirements for a comprehensive privacy management program, use and contracting with processors, as well as data security and breach notification will have the largest impact on their organisations.
>See also: What are US companies’ view on GDPR?
As expected, senior leadership is most concerned about the GDPR’s enhanced sanction regime and data breach notification requirements, as well as the impact on their data strategy and ability to use data.
GDPR readiness
Organisations appear to be in varying stages of preparation for the GDPR. While most have appointed a DPO, many organisations are either increasing resources in preparation or are in the process of considering additional resources to meet increased obligations.
Compliance technology tools and software
Currently, organisations do not appear to use or have access to technology tools and software which aid with data privacy and compliance tasks.
Only a minority of organisations use technology to automate and industrialise their data protection impact assessments (DPIAs), data classification and tagging policies, data processing inventories, and delivery of the new data portability right.
Combined approach to GDPR implementation
Because of interdependencies between data privacy, compliance, IT systems and infrastructure, and organisations’ data strategy, GDPR implementation should be a company-wide change management program with a concerted effort from senior leadership, including the DPO, chief information security office (CISO), chief information officer (CIO), chief data officer (CDO) and general counsel.
While progress has already been made around the world, there is clearly still much more to be done Looking at the findings, only 33 percent of our respondents tag and classify data that they hold to determine whether or not it contains personally identifiable information (PII) or sensitive PII.
Beyond that, only 10% of those that do tag data use automation – leaving them to rely on end users to tag. This is problematic, as all other decisions about data stem from whether or not a company is managing PII.
So organisations are either building policies and procedures and hoping that people are following them or they relying on end users to tag their own data – which may be unsuccessful.
>See also: GDPR: What do you need to know?
End users are notoriously bad at tagging their own data, and a lack of automation makes it impossible to implement a good data protection program.
The study also found that only 26% of respondents keep processing and data transfers records – conflicting with the fact that 58% say they understand data lifecycle management within their organisations.
While organisations may understand what their policies state, if they don’t know what data they hold, they don’t know whether or not anyone is actually doing what they are supposed to at all.
Looking at the potential penalty of almost £1.9 billion that UK-based Tesco could have faced for their recent data security breach if GDPR had been in full force, the cost of compliance becomes much more palpable.
Because privacy and security risk management intersect with other data lifecycle management programs within your company, combining these related areas will allow you to better optimise resources and risk management to support responsible, ethical, and lawful collection, use, sharing, maintenance, and disposition of information.
Sourced by Dana Simberkoff, chief compliance and risk officer, AvePoint