The road to GDPR implementation: challenges and opportunities ahead

Less than 14 months remain until the General Data Protection Regulation (GDPR) takes effect—and US technology companies are feeling the pressure, the 2017 BDO Technology Outlook Survey revealed.

The survey, polling tech CFOs in the software, hardware, telecommunications, internet and IT sub-sectors, found that 44% of survey participants had cited data privacy laws, including the GDPR, as their most serious compliance concern this year, overtaking last year’s top compliance concern, financial reporting.

Replacing the EU’s Data Protection Directive, the GDPR, effective May 25, 2018, intends to harmonise and simplify the EU’s regulatory environment by creating a single set of regulations aimed at protecting the data privacy of EU residents.

>See also: GDPR: What do you need to know?

The GDPR is written so as to apply to any entity that controls or processes the personal data of EU data subjects, regardless of where it operates. This means that any US or foreign company that deals with the data of EU residents will be subject to the GDPR’s stringent requirements—even if it’s based outside of the 28 EU member states.

Cyber security, data privacy top-of-mind

As entities dealing with the data of EU residents work to firm up their data privacy protections in compliance with the GDPR, they do so also as a defensive measure against growing cyber security risk.

According to a recent Ponemon Institute and IBM study, companies can expect a 26% probability of a material data breach involving 10,000 lost or stolen records in the next 24 months.

BDO’s 2016 Board Survey further revealed that 74% of board directors said their board was more involved with cyber security than 12 months ago, with 88% briefed on cyber security at least once per year.

Data breach costs are rising, too. The Cisco 2017 Annual Cybersecurity Report cites that more than a third of organisations that experienced a data breach in 2016 reported substantial customer, opportunity and revenue loss of more than 20 percent, a significant portion of a business.

>See also: What are US companies’ view on GDPR?

Yahoo’s recent data breaches, for example, compromised more than 1 billion customer accounts and resulted in more than 40 lawsuits.

They also caused Verizon to cut its planned $4.83 billion acquisition of Yahoo’s core business by $350 million—not to mention numerous other tangible and intangible costs, including the resignation of the company’s chief legal officer.

The GDPR aims to address the growing cybersecurity risk in two of its provisions, Article 5 and Article 32, which set forth basic rules on personal data processing for data controllers and processors:

Article 5

Data must be processed in a way that ensures appropriate security of personal data, “including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Article 32

The data controller and processor must put in place technical and organisational measures to ensure an appropriate level of security, including by implementing a process to regularly test and assess the effectiveness of such security measures.

When assessing the appropriate level of security, the controller and processor must consider risks that data processing presents, particularly from accidental or unlawful destruction, loss, access to or disclosure of personal data.

As a result, many companies have internalised the importance of confirming their cyber programs, among other things, and are GDPR-ready — with Microsoft, led by chief privacy officer Brendon Lynch, being one of the first tech giants to lead the charge in GDPR compliance.

>See also: Have you been caught unaware by the EU GDPR?

Other tech companies must follow soon, if they are to avoid the heavy fines that EU Data Protection Authorities (DPAs) could impose for non-compliance with the GDPR’s requirements, which include securing personal information, maintaining and producing proper documentation to support the legal basis for processing, providing proper notice, conducting privacy impact assessments (PIAs), and notifying DPAs of becoming aware of a data breach event that is likely to present a risk.

Fines can be staggering, reaching up to €20 million, or 4% of global revenues for the previous fiscal year, whichever is higher.

Cyber security market opportunities

But while anxiety around cyber abounds for some, others—most notably, security and storage software vendors—are excited for the market opportunities that have begun to emerge.

Market Research Media estimates that the US federal cybersecurity market will grow from $18 billion in 2017 to $22 billion by 2022, at a steady Compound Annual Growth Rate (CAGR) of 4.4%.

Tech CFOs from BDO’s 2017 Technology Outlook Survey, meanwhile, predict that cyber security will be the second-largest driver of growth in the technology industry, with 18% viewing it as the most important factor for industry growth.

The cyber insurance market could especially benefit from the increased demand of its services resulting from the GDPR. Due to the GDPR’s multiple demands—including its strict breach reporting requirements—companies will be driven to re-assess their current cyber insurance coverage to ensure that they are adequately covered for all potential GDPR-related incidents.

This provides a great opportunity for cyber insurers to reassess their own service offerings. To ensure that they, too, are GDPR-ready, insurers must develop a deep understanding of all the possible data and operational risks involved by becoming familiar with the processes their clients use to store and protect their data, including their relationships with third-party vendors.

Insurers must then develop smart underwriting and claims administration capabilities so that they can clearly delineate what is insurable and what is not, and assure that their service offerings are comprehensive.

Preparing for the GDPR

Because of the multiple challenges and opportunities that the GDPR brings, companies must take a proactive approach to preparing for its implementation sooner rather than later. After all, redesigning a process or adopting new technology to deal with portability rights or tracking consent may take months or even a year or more for large enterprises.

Companies will find that much of the work involved requires considerable effort in reforming the way they store, use, share, maintain and record personal data, which will consequently require significant changes to current processes and systems.

>See also: Benchmarking global readiness for the GDPR

Preparation cannot be the responsibility of the legal, IT or compliance teams alone, but must be a cross-functional effort with buy-in from stakeholders across all departments.

With far-reaching consequences that can significantly harm, or even destroy a business, data breaches are not to be taken lightly.

This makes data privacy more important than ever. While there are still challenges for U.S. companies to iron out under the GDPR, the best thing they can do now is map out a path toward compliance and start moving in that direction.

Guidance on the GDPR is fully expected, which may alter decisions along the way. But, waiting for full clarity before starting the process will put the company that does so at risk of being nowhere near the mark when May 25, 2018, arrives.

 

Sourced by Aftab Jamil, assurance partner and national leader of BDO’s Technology practice and Deena Coffman, managing director in BDO Consulting’s Technology Advisory Services practice and a certified information privacy professional (CIPP)

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...