The upcoming implementation of the Global Data Protection Regulation (GDPR) in May 2018 has many security experts on edge. However, they should really view the regulation as a great opportunity. For the first time, there is clarity – albeit not without some murky details – on where the future of cybersecurity is headed. But it appears that many security experts are reacting out of fear and making changes simply to “check-the-box,” rather than taking the time to assess the regulations and understand the steps their organization needs to take to fully comply.
To better understand U.S. companies’ overall awareness of, and preparedness to, address these new regulations, Experian Data Breach Resolution partnered with the Ponemon Institute to survey more than 500 individuals in IT security and compliance. The report, “Data Protection Risks & Regulation in the Global Economy,” found that despite having more than a year to prepare, only nine percent of organizations are actually ready to comply. In addition to this overwhelming lack of preparedness, the report also showed that companies are failing to take necessary steps – including fully understanding the regulation, properly engaging their senior leaders and investing in the right technology. These missteps, coupled with a quickly closing timeframe, are leaving many companies unprepared for the era of the GDPR.
Collective Failures of GDPR Preparation
The Ponemon Institute found through the survey that most U.S. multinational companies are struggling in the same three areas:
Failure to understand the regulation: Eighty-nine percent of survey respondents reported that the GDPR will significantly affect their data protection practices, but many aren’t sure what to do or where to begin. Fifty-nine percent reported that their organization doesn’t understand what they need to do to comply. This lack of understanding is highlighted by the fact that 34 percent of respondents reported their companies were choosing to close overseas operations to “prepare” for the GDPR rather than updating compliance practices. This reaction is a complete failure to understand the regulations and a dangerous way to avoid compliance. Regardless of physical business location, companies will be required to comply with the GDPR if they collect or store data on European Union citizens.
Failure to properly engage the C-Suite: The business impacts of the GDPR are sure to be far reaching, from initial set-up costs to maintenance, to high penalties for failing to comply. In fact, 69 percent of the security experts surveyed felt non-compliance would hinder their companies’ ability to do business globally. Despite this, only 30 percent of respondents said their organizations’ C-Suites were fully aware of the company’s compliance status. Even more concerning, just 38 percent said their executives viewed global data regulations as a top priority. The C-Suite must be properly engaged for a couple reasons: first, compliance with the GDPR will require additional budget, and second, compliance will require comprehensive changes across the company.
Failure to implement the right technology: Complying with the GDPR will require advanced security solutions that not only protect data, but also notify companies of a breach quicker than ever before. As companies move to prepare for the GDPR, many survey respondents cited a lack the right technology as a top concern, impacting their ability to comply to the regulations. In fact, 49 percent reported that their security solutions were outdated and/or inadequate to cope with a global data breach, and just 40 percent of respondents felt confident their organizations’ security technologies would adequately protect information assets and IT infrastructures overseas. More than a third of respondents noted that they also lacked the budget to invest in these technologies. Companies will need to move quickly to remedy this issue, conducing a thorough assessment of their technological needs to ensure they can combat advanced attacks and detect breaches swiftly.
What Can Be Done to Plan for the GDPR Era?
While there are clear areas for growth, the truth is that aspects of the GDPR can be confusing, and until it goes into effect next year, it will be difficult to fully understand how regulators will implement each rule. But companies should not use this as an excuse. Rather they should be taking calculated steps toward preparedness. The good news is that the report found that 41 percent of respondents noted their companies were taking actions to prepare, including:
Seventy percent are conducting assessments of their ability to comply with regulations;
Fifty-seven percent are investing in modern technologies or services such as analytics and reporting, consents management and encryption; and,
Fifty-five percent are appointing a data protection officer, as required by the GDPR.
Given that the GDPR essentially creates a worldwide notification protocol, it will be important for multinational companies to prepare for the new rules and think beyond the mandated regulations to things such as coordinating a global response, engaging with stakeholders and keeping consumers notified. Thinking through a response plan is crucial to not only compliance, but also to protecting consumers and brand reputation.
So, what can a company do to improve their state of preparedness for the GDPR? There are a few key steps that should be taken immediately, including:
Coordinate Steps for a Multinational Response: Moving into 2018, it is critical that companies identify and train a multinational response team that can be activated in a moment’s notice. This team of internal support and third-party vendors – lawyers, communications specialists, a data breach resolution provider and forensic experts – can help serve as “boots-on-the-ground,” helping ensure local laws and customs are followed. To ensure a quick response, these partners should be identified during the planning phase – well before a breach occurs. The exact makeup of the team will not look the same for all companies, and depending on the extent of the E.U. resident data they are collecting, enterprises may choose to set up a support team in each country of operation or even a centralized response hub. Whatever the end group looks like, the response plan should also be reviewed and practiced on a regular cadence to ensure the process will move smoothly in a real-time scenario.
Prepare for Increased Stakeholder Engagement: With the GDPR will come a new group of stakeholders for companies to work with, perhaps most importantly, data protection authorities (DPA). It is imperative that companies know who these key stakeholders are, and work to build relationships as appropriate. The new regulation requires companies notify their DPA within 72 hours of discovering the breach; this will likely be one of the biggest hurdles companies face. Having a multinational response team coordinated in advance can be the difference between compliance with the law and sizable fines. Local legal partners should be able to provide guidance on engaging with the appropriate DPA. Reaching out to regulators early can also reduce scrutiny and can help streamline the process.
Consumer Notification and Support: One of the biggest challenges companies may face during a post-GDPR breach is notifying consumers and setting-up call centers in multiple languages. Judging from the survey, 73 percent of respondents noted that notification on a global scale is going to be very difficult. This indicates that not only are the logistics of delivering notification to impacted consumers difficult, there is also an increased timeline, which compounds the challenges companies face. While the GDPR requires consumer notification “without undue delay,” there are no hard and fast deadlines. But considering that once a DPA has been notified, the breach will essentially become public – making it crucial that companies are prepared to notify and address consumer concerns in a timely fashion. This means ensuring people receive notifications in the correct language, and are directed to a call center that can answer their questions. Another consideration for consumer support that a company should address during the planning process is whether or not they will offer identity protection services to affected consumers. While not mandated by GDPR, these services can help quell the fears of those impacted by the breach, and ultimately help improve a company’s reputation post-breach.
Even though much of the conversation around preparation for the GDPR has currently focused on a “doom and gloom” message, a thoughtful plan of action will be key to operating successfully in the post-GDPR world. Companies must take action now to get themselves ready, starting with a thorough assessment of the regulations and steps their organization needs to take to comply. By developing and practicing a proper response plans, companies will ensure that the impacts of the new regulation do not prove fatal for their business.