By Herb Schreib, Sungard AS Security Consulting Practice Director

PCI, HIPAA, SOX, GLBA. The alphabet soup of government regulations and compliance standards is enough to give any CIO a migraine. But just when you thought it was safe to come out of the regulatory waters, the General Data Protection Regulation (GDPR) is right around the corner. Haven’t heard of GDPR? You soon will—and you’d better pay attention.

Previous data protection regimes such as the EU-U.S. Safe Harbor, which was invalidated by court order, and replaced by the EU-U.S. Privacy Shield, focused on transfers of personal data from the EU to the U.S. GDPR does not fundamentally change the requirements for lawful transfer of personal data from the EU to the U.S. Rather, it replaces the 1995 EU Data Protection Directive and extends its reach beyond the EU to processing of EU data anywhere in the world. GDPR creates a single set of rules on data protection directly applicable to all EU member states to put an end to the patchwork of data protection rules that currently exist in the EU.

Who does GDPR affect?

While GDPR is an EU-based law, it still has implications for most U.S. businesses because it applies to any company with as little as a single employee or a single customer within the EU, including the U.K. An organization doesn’t even need to have an employee or customer to be impacted; a candidate or a prospect may be enough. In our global economy, almost every business has connections with the EU, so GDPR touches virtually everyone.

What are the GDPR fines for noncompliance?

This regulation has substantial penalty clauses. It is also immediately applicable and enforceable by law in all EU Member States. Under GDPR, fines can be up to 4 percent of the total worldwide annual turnover of the preceding financial year, or in the very worst case, $20 million EUR—whichever is greater. In other words, it could seriously impact your bottom line.

Who is ready?

Businesses are just now becoming aware of the implications of GDPR, even though the law came into effect in April 2016 and becomes enforceable in May 2018. Many organizations are starting to realize their average IT security spend has shortcomings, and most acknowledge their security posture isn’t at a level they’re comfortable with.

Since the state of cybersecurity is such that every company is subject to hacking, the FBI says all companies fall into one of two categories: those that have been breached and know it, and those that have been breached and don’t know it.

Most organizations acknowledge that GDPR compliance requires a substantial change in the way they do business, including the emphasis they put on IT security. And almost all companies recognize they are not prepared for GDPR.

Many businesses are still in the initial phases of preparation, and they simply don’t know where to turn. Some—especially those that are not in the technology industry—are throwing their hands up in the air and turning to experienced partners for help.

Why is GDPR compliance so difficult?

Competing priorities and budget constraints can complicate matters for many companies. Nearly all companies have limitations on their IT spend, and when a CIO tells you to put another service in place, sometimes cybersecurity goes on the back burner.

A Financial Times survey found that the tech sector is rushing to hire new personnel and redesign products as it faces rising costs and missed revenue in light of these sweeping EU laws. If companies do not have technology in their genetics—retail, construction, oil and gas, for example—they have an even larger challenge with risk, operational agility and how much they are willing to spend to ensure security of their infrastructure and thus their employee and customer data.

Creating a data governance solution that provides holistic oversight, protection and accountability for organizational data is a complex challenge for many organizations. Adopting a Risk/Resilience/Recovery approach—or R3 Data Governance—provides the framework, tools and methodology for implementing a risk-based data governance and privacy program. Remember: You can violate GDPR without ever having a security breach.

At first, there will probably be some large fines imposed on a few companies for non-compliance, and these will be highly publicized. These companies will experience loss of customer trust, which is even more damaging than fines as it can permanently damage brand reputation. Once other companies see this, they will understand the need to increase spending on cybersecurity.

Can I be ready in time?

The good news is that it’s not too late to develop a cybersecurity plan to put in place the appropriate level of security for personal data and the risks presented by data processing, as required by Article 32 of GDPR.

The first step is an honest self-assessment, preferably by a third party, that measures the interplay between people, processes and technology. This should be an objective assessment of readiness, and the recommendations should include measures for how to bring the company up to speed for accountability.

How well that organization responds will depend on whether it can identify the source, measure the volume of data loss and mitigate future attacks so that the same threat vector cannot be used in the future. It’s not about if a breach will occur, but when and how well that organization responds.

What are the GDPR fines for noncompliance?

This regulation has substantial penalty clauses. It is also immediately applicable and enforceable by law in all EU Member States. Under GDPR, fines can be up to 4 percent of the total worldwide annual turnover of the preceding financial year, or in the very worst case, $20 million EUR—whichever is greater. In other words, it could seriously impact your bottom line.

Who is ready?

Businesses are just now becoming aware of the implications of GDPR, even though the law came into effect in April 2016 and becomes enforceable in May 2018. Many organizations are starting to realize their average IT security spend has shortcomings, and most acknowledge their security posture isn’t at a level they’re comfortable with.

Since the state of cybersecurity is such that every company is subject to hacking, the FBI says all companies fall into one of two categories: those that have been breached and know it, and those that have been breached and don’t know it.

Most organizations acknowledge that GDPR compliance requires a substantial change in the way they do business, including the emphasis they put on IT security. And almost all companies recognize they are not prepared for GDPR.

Many businesses are still in the initial phases of preparation, and they simply don’t know where to turn. Some—especially those that are not in the technology industry—are throwing their hands up in the air and turning to experienced partners for help.

Why is this so difficult?

Competing priorities and budget constraints can complicate matters for many companies. Nearly all companies have limitations on their IT spend, and when a CIO tells you to put another service in place, sometimes cybersecurity goes on the back burner.

A Financial Times survey found that the tech sector is rushing to hire new personnel and redesign products as it faces rising costs and missed revenue in light of these sweeping EU laws. If companies do not have technology in their genetics—retail, construction, oil and gas, for example—they have an even larger challenge with risk, operational agility and how much they are willing to spend to ensure security of their infrastructure and thus their employee and customer data.

Creating a data governance solution that provides holistic oversight, protection and accountability for organizational data is a complex challenge for many organizations. Adopting a Risk/Resilience/Recovery approach—or R3 Data Governance—provides the framework, tools and methodology for implementing a risk-based data governance and privacy program. Remember: You can violate GDPR without ever having a security breach.

At first, there will probably be some large fines imposed on a few companies for non-compliance, and these will be highly publicized. These companies will experience loss of customer trust, which is even more damaging than fines as it can permanently damage brand reputation. Once other companies see this, they will understand the need to increase spending on cybersecurity.

Can I be ready in time?

The good news is that it’s not too late to develop a cybersecurity plan to put in place the appropriate level of security for personal data and the risks presented by data processing, as required by Article 32 of GDPR.

The first step is an honest self-assessment, preferably by a third party, that measures the interplay between people, processes and technology. This should be an objective assessment of readiness, and the recommendations should include measures for how to bring the company up to speed for accountability.

How well that organization responds will depend on whether it can identify the source, measure the volume of data loss and mitigate future attacks so that the same threat vector cannot be used in the future. It’s not about if a breach will occur, but when and how well that organization responds.

Related Articles