Preparing to Comply with the GDPR: Start Now, Plan to Invest

By Alex Wall
Esq., CIPP/US CIPP/E
Senior Global Privacy Officer
RADAR, INC. https://www.radarfirst.com/

In May of 2018, Europe’s General Data Protection Regulation (“GDPR”) will take effect throughout the European Union. While this may seem far off, the work ahead of companies dealing in international data exchange is substantial, and the clock is already ticking.

This broad legislation will set data protection standards for the EU and brings with it significant consequences for companies that engage in the trade of information and commerce across the Atlantic and the globe. The GDPR is pushing a sea change in international privacy law as countries work to reduce compliance risk on transborder data transfers from the EU by rolling out legislation designed to be “adequate” under EU law.

The sweeping legislation changes are accompanied by very real consequences. A new driver behind the flurry of compliance activities among companies with business in Europe is the possibility that fines that could reach four percent of global annual revenue for an entire conglomerate. To understand the risk exposure, companies are currently in the process of assessing their compliance with the upcoming regulation in light of the potential maximum exposure.

Surveys Indicate Companies Are Lacking in Preparation and Confidence

In a Dell-sponsored global survey of large companies with more than 10 percent of their customers in Europe, only one in three companies are prepared for GDPR today, and 97 percent don’t have a plan to prepare for GDPR.

Just within the UK, France, and Germany, 91 percent of respondents to a State of European Data Privacy Survey from Symantec expressed concerns about the ability to comply, but only 22 percent prioritize compliance in the next two years. Kevin Isaac, SVP at Symantec, expressed his thoughts that companies are underprepared and under-preparing: “There is a significant disconnect between how important privacy and security is for consumers, and its priority for businesses. The good news is there’s still time to remedy the situation—if firms take immediate action.”

In a Baker & McKenzie report comprising the results of a survey of privacy professionals at the IAPP Global Privacy Summit 2016, 80 percent of the respondents felt they understood the major requirements of the GDPR, and 84 percent anticipated GDPR would impact their organization–but nearly half of respondents indicated they don’t have the tools to ensure compliance, or could only purchase the needed tools at significant cost. In fact, around 70 percent of the respondents anticipated additional budget or effort will be needed to comply with the new requirements by investing in tools.

Preparing for GDPR by Implementing Automation in Incident Response Today

Companies using automation tools in incident response for HIPAA, GLBA, and state breach law compliance today are already reducing risk exposure, saving time, and preparing staff and systems for the GDPR. This is because these data breach laws have certain commonalities when it comes to requirements around compliance. Across jurisdictions, companies are commonly required to:

• Create a record of impartial, consistent, and thorough compliance
• Assess incidents and notify of breaches under law and contract
• Apply a consistent multi-factor risk assessment standards to every incident
• Implement privacy and security incident management processes
• Continually monitor an organization’s compliance
• Implement and administer a privacy program
• Track processing activities, agreements with sub-processors who process personal data, and record how and why
• Track and document personal data incidents
• Be prepared to provide consistent and comprehensive reports to auditors, and regulatory agencies and satisfied investigators
• In the event of a breach, be prepared to notify the data protection authority with relevant details about the breach, such as:
• A description of nature of the breach in connection with personal data
• Contact details regarding the breach and the recommended measures to limit the negative consequences of the breach
• Information about the breach and its timing in general terms
• A description of the personal data involved in the breach
• A general account of what the organization has done to control or reduce the harm or mitigate ongoing risks
• In the event of a breach that requires data subject notification: what the organization will do to assist individuals and what steps the individual can take to avoid or reduce the risk of harm or to further protect themselves.
• Train staff on privacy and security compliance

Automation and the use of innovative technology to bring simplicity and consistency to incident response will be critical to staying on top of the changing–and increasingly stringent—requirements above. For instance, the GDPR’s 72-hour breach notification rule doesn’t provide ample time for a manual assessment process. Automated assessments, shared databases holding and tracking incident details, and integrated compliance systems will be critical to allow large organizations to be able to respond to every detected incident consistently within the allotted time.

If privacy and compliance are part of your company’s DNA now, you will be better equipped to comply with the GDPR.