What will happen if my company is not compliant with the GDPR?

Perhaps the biggest question companies are asking themselves regarding this. Non-compliance with the GDPR faces penalties of up to €20 million or 4 percent of global annual turnover, whichever is higher. Ovum reports that 52% of companies believe that they will be fined for non-compliance. It’s also been predicted by Oliver Wyman (management consulting firm) that the European Union could collect as much as $6 billion in fines and penalties in the first year.

You likely won’t be the only one if your organisation is not in compliance by May 25th. The general consensus is that about half of the U.S. companies that should be compliant will not be on all requirements. Solix Technologies released a survey in December where 22% of companies were not even aware that they must comply with GDPR. Furthermore, 38% said that the personal data they process is not protected from misuse and unauthorised access at every stage of its life cycle.

One requirement is looking to be particularly difficult for companies trying to gain compliance – The right to be forgotten. Almost two-thirds of the Solix survey respondents say they are unsure if they can get rid an individual’s personal information forever by the May deadline. This leaves many organisations vulnerable to facing fines.

 

How will penalties be assessed?

This is the big unanswered question. Will there be a difference in fines between a breach that doesn’t have much impact on an individual compared with one where their exposed personal identity information causes damage? And what will that difference be?

It’s thought that the regulators will want to make an example of a few companies to send out a message to those that are non-compliance. Following this, organisations can make a more accurate assessment of what to expect in the event of being found non-compliant.

 

Which GDPR requirements will my company be affected by?

Following GDPR requirements will mean companies need to change the way they process, store, and protect customers’ personal data. For example, when an individual consents, companies will be permitted to store and process personal data, but for “no longer than is necessary for the purposes for which the personal data are processed.” Personal data must also be portable from one company to another, and companies must erase personal data upon request.

That last item is also known as the right to be forgotten, for which there are some exceptions. There are some legal requirements that supersede the GDPR and mean that an organisation may maintain certain data, for example, HIPAA health record requirements.

Although the term “reasonable” has not been well defined by the GDPR, company security teams must be able to provide a “reasonable” level of privacy and data protection to citizens of the EU.

A potentially challenging requirement is the rule around breach reporting. Following detection of a data breach, companies must report it within 72 hours to supervisory authorities and individuals affected.

Performing impact assessments to identify vulnerabilities and how to address them is another requirement, with the intention of helping to mitigate the risk of breaches.

 

Successful GDPR – A Case Study

Let’s take ADP as an example. This is a company that provides Human Capital Management via a cloud based system as well as business outsourcing services to more than 650,000 companies around the globe. That’s millions of people around the world that it holds personal identity information for So it’s hard to imagine a company that could be more affected by the GDPR. It’s not just regulators that will expect them to be compliant, but all of their clients as well, as if these clients are to be compliant, then ADP needs to be first. If ADP were to be found as non-compliant then it would not only face hefty fines, but potentially a huge loss of business as well.

The scale and global focus of ADP holds it in good stead and gives them an advantage when facing the regulations surround the GDPR. There won’t be a huge leap to adhere to these as they already adhere to so many privacy laws and security regulations. They are certainly not starting from scratch. There need for compliance is not just as a company, but as a service provider too.

ADP may well be better prepared than most, but it is still a large and global project which they began a year ago. Before GDPR had been discussed, they had already started working on data flow mapping and privacy assessments as a part of new products.

This is what they see as the key for successful compliance – The early onset of data flow mapping. “Data flow mapping is required to do inventory of products, and processing PII is a first step to data protection impact assessments that are required. We’ve also implemented privacy by design in our new offers and products.” ADP even provides training for its developers to support its “privacy by design” policy.

Another step towards success is pulling in people from many areas of the company. This project of complying with the GDPR is something that the whole organisation needs to be involved with. It affects all the operations, and the functional groups, not just a pure privacy or compliance project for the security teams. The right processes need to be implemented across the organisation as a whole.

One mechanisms for securing PII is encryption, which is something that ADP already have in place. Security wise, this is something that can then be communicated to their clients and then onto their employees and clients of their own.

ADP are very clear that they will be compliant and on time. They are a data processor for other companies, so this compliance is something they are making clear to their clients. They want to protect their personal data to the standard expected by the EU regulator, and thus, have applied for binding corporate rules for protecting personal identity data.

Setting a rather good example of where to start and what to do, here are ADP’s tips on beginning the GDPR compliance journey:

  • As a company, understand what it means for you in terms of your business. Identify to what extent you will be affected by the new regulations and compile a gap analysis.
  • Take an operational approach. Take each function of your organisation, and have a representative from each. This is not just a purely legal or privacy compliance project. Each organisational function representative can determine whether a requirement affects their department, and how they can or already do meet this requirement.
  • Documentation. Part of the GDPR is being able to show how you have become compliant. Get your business people to do an assessment, decide what needs to be done, and then document what you are doing.

 

What should my company be doing to prepare for the GDPR?

  • Get top management to set a sense of urgency. You must be prepared.
  • Get all stakeholders involved. Get a task force in place that includes marketing, finance, sales, operations—any function within the organization that collects, analyses, or otherwise makes use of customers’ personal identity information. Information will be shared better, and will be most useful to those implementing the technical and procedural changes that the GDPR requires. Each individual team will also be better prepared to deal with any impact on them.
  • Conduct a risk assessment: One of the biggest obstacles but the first course of action – you need to know what data you store and process on EU citizens and understand the risks surrounding this. This risk assessment must also outline the measures being taken to mitigate that risk. A key element of this assessment will be to uncover all shadow IT that might be collecting and storing PII. The greatest risk for non-compliance is from shadow IT and smaller point solutions – Don’t ignore them!
  • Hire or appoint a Data Protection Officer: This could be someone that already holds a similar role to this position, as long as there is no conflict of interest in terms of ensuring personal identify information protection. If there is no one then you will need to hire a DPO. This could be a ‘virtual’ consultative role rather than a full time position.
  • Create a data protection plan: This is something that most companies already have in place. You will need to review and update it with the GDPR in mind, to ensure that it complies with requirements.
  • Don’t forget about mobile: According to a survey, 64% of IT and security executives access customer, partner, and employee PII using mobile devices. 81 percent of the survey respondents said that employees were allowed to install personal apps on these mobile devices. In terms of GDPR compliance, this creates a unique set of risks – If any of those apps access and store PII, they must do so in a GDPR-compliant manner which is very difficult to control, especially when you consider that employees will use unauthorized apps too.
  • Create a plan to report your GDPR compliance progress: As the May deadline gets closer, organisations must be able to demonstrate how they are making progress with the new regulations by completing the Record of Processing Activities (RoPA). This centres around taking an inventory of risky applications. This will help you avoid being an easy target for regulators. Through doing this RoPA you are identifying where personal data is being processed, who is processing it and how it is being processed.
  • Implement measures to mitigate risk: So you’ve identified the risks and how to mitigate them, next you need to put those measures into place. Following the RoPA, your GDPR team can identify and investigate any potential data risks and determine the level of security required to protect that data.
  • Ask for help. If you have a small organisation then don’t be afraid to ask for help if needed. Smaller companies can and will still be affected by GDPR, some more than others. If you don’t have the resources needed to meet requirements then there are outside resources available to provide advice and technical expertise to help you through this process.
  • Test incident response plans: Companies have 72 hours to report a data breach. Your response teams need to know how to respond and report a breach – Their ability to do this effectively will influence your company’s risk of fines. Do a test and practice this process.
  • Set up a process for ongoing assessment: To ensure that you stay compliant, you will need to consistently monitor the processes you have in place and continuously improve them. You may wish to incentivise employees for following new policies, and hand out penalties for those that don’t. GDPR policy observances could even be added to employee contracts.

The aim of all of this is not merely to tick a box and comply for the sake of avoiding a fine. You can view this as a way of improving your business. Not only could compliance be seen as a competitive advantage, but it will also boost consumers confidence in your brand and service. In addition to this, and perhaps most importantly, the changes that will be made in order to comply with the GDPR will result in technical improvements, process efficiency and the effectiveness of how your organisation manages and secures data. All positive things!

 

With thanks to superoffice.com for the image.