I recently sat down with Pat Clawson, CEO of Blancco Technology Group, to discuss the EU General Data Protection Regulation (see this infographic for a brief summary of the EU GDPR).
Blancco recently conducted some research into how ready organisations are to comply with the new Regulation.
You can access this research here.
After reading the report, I had a few questions:
Hi Pat, thanks for taking the time to speak with me – let’s dive straight in.
Only 23% of respondents to your survey say they are prepared for the GDPR. Do you think this lack of preparedness is more a reflection of organisations being cautious rather than ineffectual? The regulation has been a long time coming. Do you think businesses have simply been holding back until it is actually enacted or are there other issues in play?
Because the EU GDPR negotiations stretched on for the last four years, many organizations held out hope that an agreement would be postponed, or if things went the way they hoped, the negotiating parties would never come to agreement. And even if the negotiations moved ahead, many organizations thought the US-EU Safe Harbor agreement would protect them – but the courts invalidated the agreement, too. So, now that the GDPR is a reality and the new privacy rules will be ratified by the European Council in early 2016, many organisations have a considerable amount of work ahead of them to align their IT governance and data protection programmes with both regulatory and customer demands.
When we looked at our study’s findings, several factors came up as contributing to their unpreparedness. For one, 41 percent of the global IT professionals surveyed reported that they don’t maintain documentation of the defined processes/technology used to remove outdated or irrelevant customer data. That’s a frighteningly large percentage by any means. But it’s even worse when you consider that 60 percent of global organisations said it would take them up to 12 months to develop and implement the necessary IT processes and tools to pass a “right to be forgotten” audit and another 25 percent don’t even know how long it would take.
Do you think the lack of preparation is more a matter of ignorance? According to your report, less than half of the respondents are even aware of the Regulation. If this is true of the IT professionals you surveyed, is the figure likely to be significantly lower among others – smaller companies that don’t have their own IT departments, for instance? Given the number of organisations that will be affected by the regulation, does there need to be more publicity about its requirements?
I wouldn’t call it ignorance; however, with respect to data privacy and protection, it does often require regulation to ensure organisations give it the full attention it deserves. And the fact of the matter is that most organisations don’t really think about data across the entire lifecycle – so it’s usually relegated to something that needs to be dealt with on ‘equipment.’
I think it’s a fair assumption that levels of awareness are lower outside of the IT department, which is problematic in smaller companies but also in the boardrooms of some of our largest corporations. Compliance with EU GDPR will require investment in new IT processes, training and education for IT/tech/marketing/legal staff inside organisations and a thorough review and audit of existing technologies (and ones that still need to be implemented). So it’s very important that business leaders – all the way up to CEOs and the board of directors – provide the appropriate resources to implement these. But doing that means CIOs need to communicate the importance and value in the context of how it will impact business growth and revenue. That’s the only way budgets will increase, staff will be added, new technologies will be purchased, and so on.
I’d certainly advocate for more publicity on the matter because while two years might seem a long time, it really isn’t when you consider the scale of the change organisations would need to make to truly be compliant. It’s not something that can be done quickly and it’s certainly going to require a heavy investment, which we know can often take long periods of time to obtain.
In terms of convincing people to begin their preparations, the maximum fine of 4 percent of an organisation’s worldwide turnover, or €20 million, should be plenty to get companies moving in the right direction.
What advice would you give to those companies who are unprepared and don’t know where to start? What are the most direct routes to compliance?
My advice would be to start planning as early as possible and to treat the Regulation as a starting point rather than the finishing post. Going the extra mile to show you value your customers’ data simply makes good business sense. But when that trust is eroded, we’re talking about more than just immediate losses; we’re talking about long-term sales losses, reputational damage that can be really tough to recapture and even employee turnover.
Because this is such an important piece of regulation, we’ve been working hard to educate organisations as much as possible. For one, we’ve created a GDPR study surveying IT professionals, a 12-Step Action Plan to prepare for compliance, and we also partnered with the legal firm DLA Piper on a webinar to help organisations distil the GDPR’s legal requirements into ‘what’ and ‘how’ it can prepare for compliance by 2018. We won’t stop until organisations both inside and outside of Europe understand how the law could affect them and what they should be doing to remove data properly.
How troublesome do you think enforcement will be? The ICO can impose fines of up to £500,000 for breaches of the DPA, but simply doesn’t have the resources to use this power on a scale that acts as a sufficient driver for businesses to improve their data security. Do you think the GDPR will be any different in practical terms?
For the Supervisory Authorities, I’ll be curious to see how they are able to manage the workload of monitoring and enforcing the law. But even at this early stage, I’m confident it will be different in practical terms.
For the first time, we will have a single regulation that applies to all companies that offer services in the EU. That makes it very difficult to ignore. And consumer attitudes towards data protection are hardening with each and every data breach that happens (and hits the media), meaning regulators will be under heavy pressure to take significant action against those found to be in breach of the rules.
In regard to the mandatory notification of data breaches, how easy will it be to enforce, and how will companies – smaller ones especially – equip themselves with the infrastructure to inform their customers if they fall victim to a breach?
I don’t necessarily think it will be all that easy for the Supervisory Authorities to enforce the GDPR’s mandatory breach notification rule. But that has more to do with resources than anything else. With this regulation, we’re going to see the number of companies being investigated, fined and going into legal action increase pretty significantly. As that happens, it’s going to be tougher and tougher for the Supervisory Authorities to keep up unless they add new staff and bring in more resources to handle the uptick in GDPR violations.
If you’re looking to find out more about the General Data Protection Regulation, I suggest that you visit our GDPR information page.