Here’s a good starting point for learning about what any company with European users needs to consider before May of next year.
It’s February, 2017. Do you know where your GDPR plans are?
On May 25 of next year, the General Data Protection Regulation goes into effect, yet many companies with users from European Union countries are not ready to meet the requirements for protecting rights to personal data. The GDPR applies to all companies with such users, whether or not the companies are physically in those countries.
The exact number of unprepared businesses varies according to the survey, but it appears to be huge.
In October of last year, for instance, a survey by Dell found that over 80 percent of global businesses knew little or nothing about GDPR, less than one-third felt they were prepared, and almost 70 percent said either they weren’t prepared for the GDPR or didn’t know if there were prepared.
According to a recent detailed paper on GDPR — sponsored by cloud security provider CipherCloud — 58 percent of mid-sized and large organizations are “not sufficiently familiar” with the GDPR scope or penalties, and only 10 percent think they are “completely ready.”
That overview, “GDPR Compliance and Its Impact on Security and Data Protection Programs,” is a good place to start.
It notes that the consequences of non-compliance could be “significant financial penalities” — up to 4 percent of global annual revenue or a fine of 20 million euros, whichever is greater — plus “reputational damage.”
“Maybe nothing will happen” to GDPR violators, paper author Michael Osterman told me. Perhaps the enforcement will be generally lax, he said, “like anti-spam laws.”
Or perhaps, he surmised, the effect will be like that of California’s strict data breach law. Although almost all the other US states have data breach laws, many companies adhere to California’s, because meeting those strictest standards makes it easier to meet all the others.
But the bottom line is that companies don’t know what will happen. The EU could start with some warnings, followed by injunctions and possibly some selected prosecutions. At any rate, he said, the goal of his paper is “to raise awareness of the GDPR,” especially as it relates to data archiving, protection, cataloguing and classification.
There’s certainly a lot to do to comply. The study points to the need for a Data Protection Officer, policies and training for handling sensitive data, undergoing a Data Protection Impact Assessment, and developing methods for data classification, loss prevention, encryption, explicit management of consent and technologies to allow customers to manage their data in ways specified by the GDPR.
To help you get started, the study outlines the GDPR’s evolution, a definition of personal data and the reasons behind the regulations. It discusses the core requirements for organizations controlling personal data of EU residents, the kinds of records that need to be kept, requirements for notifications of data breaches, data portability rights, and — possibly the most onerous for companies — the rights of individuals to access, correct, restrict or erase their personal data collected by your company.
“The implications of the GDPR for organizations can be summarized simply,” the paper says. “[Every] affected organization needs to immediately undertake a significant re-examination of its organization data strategy related to personal and sensitive personal data.”