First discussed in the 1990s and turned into law last year, the EU’s General Data Protection Regulation (GDPR) finally goes into effect in May 2018, imposing strict requirements on millions of businesses and subjecting violators to severe penalties.
The complex regulation is of concern not just to European businesses. It applies to any organization worldwide that controls and processes the data of EU citizens, whose privacy the GDPR is meant to protect.
A recent PwC survey found that more than half of U.S. multinationals say GDPR is their main data-protection priority, with 77% of them planning to spend $1 million or more on GDPR readiness and compliance.
“The GDPR is putting data protection practices at the forefront of business agendas worldwide,” Steve Durbin, Information Security Forum’s managing director, wrote recently.
In other words, it’s crunch time for companies that fall within the GDPR’s broad scope and that haven’t completed their preparations to comply with this regulation. Gartner estimates that about half of organizations subject to the GDPR will be non-compliant by the end of 2018. You don’t want to be in this group of laggards.
Why? Consequences can be dire. One possible fine for violating GDPR provisions: Up to 4% of your company’s annual revenue, or up to €20 million, whichever is higher.
Today we begin a weekly series in which we’ll zero in on specific GDPR requirements and highlight how Qualys can help you with compliance. In this first installment, we’ll address how getting your organization ready for GDPR can have significant business advantages beyond achieving compliance and avoiding penalties.
Organizations often see regulatory compliance as a necessary evil that eats up precious time, effort and resources they would rather devote to areas such as sales, marketing, R&D and IT. Yet, complying with a regulation can also yield considerable business benefits. Such is the case with GDPR.
It forces organizations to gain complete visibility and control over the personal data of EU residents that they handle. For many organizations, this will require a major overhaul of their data governance and data management, and involve changes in processes and technology.
These enhancements for data privacy and security, in turn, can give organizations a competitive edge by also sharpening business areas such as:
“Frankly, any manager that isn't viewing GDPR with the aim of getting business benefit from the effort involved, is becoming a danger to his/her company and employees,” wrote David Norfolk, an analyst from Bloor Research, a U.K. research and consulting firm.
For John Oates, a writer at U.K. magazine Computer Business Review, it’s a sign a company is innovative if it sees GDPR-related changes as a business opportunity and “not just another box ticking exercise.”
“Security and privacy can and should be seen as a business differentiation strategy – a way to place your firm head and shoulders above the competition,” he wrote in the article titled “Treating new regulations as an opportunity.”
Although organizations need to apply GDPR requirements only to EU residents’ data, it’s expected that many companies, particularly multinationals, will opt to treat all of their customers’ data according to GDPR stipulations.
“From an architectural perspective, I think companies are going to assume everyone they’re dealing with is a European Union citizen,” Denyette DePierro, vice president and senior counsel of cybersecurity and payments at the American Bankers Association, recently told The Wall Street Journal.
One could argue that these companies that go all in with GDPR may gain an edge with non-EU customers whose data is treated more loosely by competitors.
“GDPR is an opportunity to better engage with customers,” Forrester analyst Enza Iannopollo told the Journal.
As regulations go, GDPR is a doozy. It imposes broad and strict requirements on organizations anywhere in the world that handle personal data on EU residents. Fines can amount to 4% of an organization’s annual revenue, or €20 million, whichever is higher.
Specifically, organizations must know what personally identifiable information (PII) of EU residents they have, where it’s stored, with whom they’re sharing it, how they’re protecting it, and what they’re using it for.
“The core approach is information governance, knowing what personal data sits in an organization and getting it under management,” wrote IDC analyst Duncan Brown. “Most companies have a very loose understanding of this concept, and need assistance.”
Organizations must have technology and processes in place to quickly respond to requests from EU residents, including deleting, disclosing or transferring their PII, and to report data breaches within 72 hours.
“If a business is not yet prepared to adequately handle data breach incidents and subjects exercising their rights, now is the time to start implementing additional controls,” Gartner said in May. The IT research firm forecasts that by the end of 2018, more than 50% of companies affected by the GDPR will not be in full compliance with its requirements.
Organizations must prove they obtained unequivocal consent from each EU resident whose data they’re handling, and properly protect this data according to GDPR standards, in part by adopting the principle of “privacy by design” when developing new services and systems.
Organizations must also ensure that the third parties they share this data with -- vendors, contractors, partners, suppliers -- are compliant with GDPR.
Here are several concrete scenarios where GDPR readiness will yield broad business benefits.
A common, chronic problem among organizations is that customer data is dispersed among many siloed, heterogeneous systems across multiple business units. GDPR forces organizations to find all the EU resident PII they store, process and share, so that it can be quickly accessed, easily managed and properly protected.
Once this is accomplished and business units have a firm grip on this data, the organization will gain significant operational efficiency and agility. Business decisions will be based on superior analysis of comprehensive, up-to-date data, not on partial assessments of fragmented, outdated and low-quality information. Internal collaboration will get a boost once business units are able to quickly share fresh, accurate data with each other, sharpening, for example, sales strategies and marketing campaigns.
As has been seen time and again, organizations with solid security and compliance nonetheless can get breached due to the carelessness or negligence of their trusted third parties -- vendors, partners, contractors, suppliers and the like.
GDPR makes organizations accountable for the mistakes of third parties they share EU resident PII data with. As a result, organizations need to stringently assess the GDPR awareness and compliance of these partners. Along the way they’re bound to end up dismissing weak ones, re-negotiating contracts and strengthening ties with others, and enhancing the quality of their third-party supply chain network by making it safer and more efficient.
In their eagerness to launch new digital products and services, many enterprises have made data privacy and security an afterthought. As a result, they have put themselves at increased risk of hacks and data breaches.
To comply with GDPR, organizations need to embrace the concept of privacy by design. This means that when designing a new system, or service that processes personal data, they must make sure that data protection considerations are taken into account early on and throughout the process.
Survey after survey shows the deep frustration among consumers with companies’ continued inability to protect their personal data from breaches.
GDPR introduces Data Protection Impact Assessments (DPIA) to identify high risks to the privacy rights of individuals when processing their personal data, and forces organizations to devote considerable efforts, know-how and technology to the protection of this data.
This mandate makes data privacy and security a boardroom-level issue, and puts it in front of top management. IT and InfoSec teams will have an easier time making a case for modernizing and upgrading the IT infrastructure with more efficient and effective wares, such as cloud-based security and compliance solutions.
Meanwhile, organizations who succeed at upping their game in this area will benefit from greater trust and goodwill among their customers, who will in turn reward these vendors with increased loyalty and repeat business.
In upcoming posts of this weekly blog series, we’ll explain how a variety of Qualys products can help you in your efforts to prepare for GDPR compliance and reap the benefits outlined in the just-described scenarios and others.
Specifically, we’ll dive into these Qualys cloud-based apps:
To learn more about how Qualys solutions can help you become compliant, visit qualys.com/gdpr where you can download our free GDPR guide and watch our GDPR webcast.
(Darron Gibbard is Qualys' Chief Technical Security Officer for the EMEA region.)