Cybersecurity breaches make headline news, seemingly on a daily basis. Private data for millions of consumers is compromised at greater frequency. Organizations scramble to remediate damages and restructure their cyber defense tactics. To address this new normal and further protect personal information from data breaches, the European Union will formally implement the General Data Protection Regulation (GDPR) on May 25, 2018. Replacing its 1995 predecessor, The Data Collective Directive, the GDPR will hold organizations legally responsible for their awareness and commitment to appropriately managing sensitive, personal information, including everything from an individual’s name to their identity/Social Security number and IP address.
EU citizens may feel a stronger sense of security over their personal information, thanks to the GDPR specifications, which include providing personal consent for organizations to use data and having the rights to erasure and data portability. However, organizations around the world are responding to these new data governance and security requirements in different ways. Some are wholeheartedly complying with the regulations, while others are adopting a check-the-box mentality or ignoring how the GDPR will affect their consumers and lines of business. The journey to compliance may feel daunting for many, yet the latter two stances essentially skirt the GDPR and invite more risk than organizations may want.
Checking-the-Box Yields More Risk
The danger with a check-the-box approach is that it doesn’t approach cybersecurity as a matter that affects each department of an organization. There’s a focus more on keeping personal data private rather than protected. Companies that take this approach, including those ignoring compliance, may be awaiting a data breach before adopting a mature data security program.
We have seen consumer and market reaction to data breaches (e.g., Yahoo!, Equifax, Anthem), but consumers at large have often accepted these events as if the target company was doing the “right things” to prevent cyber attacks. Once the GDPR launches, however, this mentality likely will change. Consumers will have power and control over who holds their data and how their information is used. If breaches occur, non-compliant companies will be held accountable and fined up to 4 percent of their global turnover, or €20 million, whichever is greater. More importantly, these companies may irreparably damage customer loyalty.
Shifting Perspective Can Result in Three Key Benefits
The primary difference between companies that are equipped for GDPR to roll out in May and those that aren’t is a shift in perspective. Taking a holistic approach is important for companies to consider while on this compliance journey. Companies that achieve GDPR preparedness will realize several important benefits, including:
- Increased collaboration across the organization.
Cyber breaches are no longer siloed within the IT security team. Private, protected data circulates throughout most departments – from finance to sales, marketing, human resources and more. As organizations work cohesively to ensure GDPR compliance, they can collaborate and work cross-functionally to put best practices, policies and procedures into place throughout the enterprise.
- Greater customer loyalty.
Private, personal data is a valuable commodity. With cyber threats on the rise, consumers want to feel “cyber safe,” confident that their information is protected. Under the GDPR, businesses become more transparent to customers who provide consent to companies to use their information, while non-compliant companies may be viewed in a negative light. In addition, customers now have the right to remove their data or transfer it to a competitor – pledging loyalty to another brand. Vendors will not be able to confine data from competition or conceal compromised information from consumers. Organizations that openly stress their GDPR compliance will maintain customer loyalty and are likely to attract more business.
- Increased confidence in cybersecurity management.
Many data breaches happen because of human error. These small mistakes can turn into costly catastrophes. The GDPR mandates that an official Data Protection Officer (DPO) be on duty for all EU companies that collect and process personal data. DPOs have many responsibilities, including training data processing teams, conducting audits and educating employees on compliance requirements. These measures will help reduce data breaches and increase cybersecurity.
Stand Out in the Race to GDPR Compliance
Companies that will stand out in the race to become GDPR-compliant are staying focused and seeking help. Risk assessments can help organizations identify vulnerabilities and manage risks. Governance in place – updated policies and notices, program and application ownerships, and processes to address forgotten inquiries – will assist in fixing specific gaps and completing a data inventory. Ensuring that your vendors also meet GDPR requirements is vital for ongoing, successful compliance.