GDPR: It’s the latest four-letter word in compliance circles. The European Union’s General Data Protection Regulation—designed to ensure that companies are protecting personally identifiable information—goes into effect in three short months, and the anxiety among those charged with meeting its terms is palpable.
The concern, say data–privacy experts, is warranted. “The new GDPR regulations are a beast, period,” said Jason Hoenich, co-founder of cybersecurity awareness company Habitu8. The EU’s own GDPR web portal calls it the most important data–privacy change in 20 years and features a ticker counting down the seconds until enforcement. “The GDPR represents a sea change for global companies,” according to Lisa Sotto, managing partner and chair of the global privacy and cybersecurity practice at law firm Hunton & Williams, noting its stringent requirements and severe penalties for noncompliance. “The extensive territorial reach of the GDPR means that many companies that did not previously need to comply with EU data-protection law will now be swept into this draconian regulatory scheme.”
Ninety-two percent of U.S. multinationals called the GDPR a top priority on their security agenda, with more than half saying it is the number one priority, according to a PwC survey. And meeting its requirements won’t come cheap. Of those companies that have finished their preparations, 88 percent spent more than US$1 million on GDPR prep, while 40 percent spent more than US$10 million, according to PwC.
As time to complete preparations grows shorter, the primary focus is on getting the necessary work done. “Companies are becoming more frantic about meeting their obligations under the new law,” said Sotto. “The anxiety is not limited to the legal department; it is spreading to the IT and information security teams.”
Sheep in wolf’s clothing?
But while GDPR compliance is a must-do for impacted firms, it is possible that long-term benefits will come to outweigh the costs for company leaders who are thoughtful in their approaches.
“The short answer is that too many businesses cannot comprehend the value of their cyber security investment,” said Greg Day, VP and CSO for EMEA at Palo Alto Networks. “GDPR does require that businesses can show why they made the decisions they did for cybersecurity—periodic assessment of the risks, what controls they have implemented, why they chose those and how they measure the effectiveness—which I would suggest is a positive for the business.”
The GDPR deadline is forcing companies to take a hard look at the data they collect, and that can have significant benefits beyond compliance. “Companies can use the GDPR as a good opportunity to finally get control over their customer data,” said Lei Shen, senior associate in law firm Mayer Brown’s Technology Transactions practice. “They can use this as a chance to make sure all their data is up to date, know where everything is stored and how it’s used, and get rid of any data they no longer needed. The GDPR is also a good opportunity for companies to focus on data security and to ensure that good information management practices are put in place going forward.”
Shedding light on dark data
The GDPR is compelling organizations to assess what personal information they collect, where they keep it, and how they use it, but this information is not all neatly structured and stored away. It might be shared in emails, collected via phone calls, or extracted automatically for analytics purposes. Over time, so-called “dark data” accumulates, and most businesses have little insight into it or use for it.
The GDPR can force companies to reckon with these stores of idle and largely useless data that increase both IT costs and data-breach risks. Combing through structured and unstructured data to locate personal information, no matter where it is stored, can be an eye opener. “Most companies will come away from complying to GDPR with a much better understanding of their processing of information,” explained Hoenich. “It will force them to resolve weaknesses and vulnerabilities they might not have been aware of.”
Rather than continuing to accumulate personally identifiable data in an ad hoc way, companies can step back and ask what they really need, said Eric Simonson, managing partner with management consultancy Everest Group.
Jumpstarting data governance
Smart companies “understand GDPR compliance as an overarching governance issue for the company, not simply a matter of legal compliance,” said Sotto. “These data stewards are carefully mapping their data flows to understand what data they maintain, how it is used, how to minimize the storage of data that is not needed, and how to safeguard data.”
Companies that have taken advantage of the two years they were granted to comply are putting in place robust data-governance frameworks. The appointment of data privacy officers, while not required for all companies, can also be a benefit. Strengthening data governance and creating a privacy-by-design framework will not only help companies meet EU regulations, but also serve them well as more countries amend their laws in a similar fashion, noted Sotto.
Increasing cross-functional collaboration
GDPR compliance demands cooperation across departments to fully understand all the ways the organization collects personal data and to decide how to manage it. “Teams that don’t typically work well together will be required to come together as one to complete the task,” said Hoenich. “That’s really powerful. I wouldn’t be surprised to see a lot of secondary processes being improved because of these regulations.”
Within some companies, it is making executives more engaged and accountable for cybersecurity indirectly, which is also a positive, according to Day of Palo Alto Networks.
However, increasing the stakeholders involved in GDPR efforts might not always be a good thing. “On the one hand, it helps to ensure that you solve for the right things and can get to the end goal in a better, faster way,” Simonson said. “But be careful how you involve people, and only choose those people that can truly help you. If someone sees more barriers than opportunities, it could slow efforts down.”
Accelerating data-driven Innovation
As the GDPR forces companies to rethink their customer data strategies, these companies will have to adapt the ways they process, store, and protect customer data. Increased understanding of, and control over, customer data historically spread across business units, functional siloes, and systems will create new opportunities to harness that data to build better relationships with customers, on their terms. “By being more transparent with customers regarding what the company is doing with their data, providing customers with increased control over their data, and providing increased security for the data, companies can use their compliance with the GDPR as an opportunity to increase customer trust,” observed Shen.
Forward-thinking companies will appreciate the convergence of these data-privacy requirements and advances in digitization, analytics, and automation. GDPR “is a good push down the path of what it means to be a truly digital business,” said Simonson. “It opens up new avenues of things companies can do to get value out of well-structured and appropriately used customer data.”