Prepare for GDPR

Deadline nearing for tough, new data protection standard with a global impact.

The European Union’s General Data Protection Regulation (GDPR) goes into effect in less than a year, and data security experts say it could be the strictest data privacy law ever enacted. Although it is designed to standardize data security legislation across Europe, it also has significant implications for U.S. companies.

Slated to go in effect in May 2018, the GDPR applies to all companies — no matter the size or location — that handle the personal information of anyone living in any of the EU’s 28 member countries. U.S. companies with customers or employees in the EU could face fines of up to 4 percent of their global revenues for noncompliance. Small to midsized businesses (SMBs) are subject to the same regulations, although they are given some consideration due to the smaller amount of risk they present compared to large enterprises.

Despite the high stakes, many analysts say U.S. businesses are lagging in their compliance efforts. Gartner predicts that, by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.

“The GDPR will affect not only EU-based organizations, but many data controllers and processors outside the EU as well,” said Bart Willemsen, research director at Gartner. “Threats of hefty fines, as well as the increasingly empowered position of individual data subjects, tilt the business case for compliance and should cause decision-makers to re-evaluate measures to safely process personal data.”

Getting Personal

GDPR requirements regarding personally identifiable information (PII) are particularly troublesome for U.S. companies. The regulation mandates that all companies must know exactly where every instance of someone’s personal information is located. Furthermore, article 17 of the GDPR establishes a “right to erasure” that requires businesses to act on requests from individuals to have their data purged if it is no longer relevant or necessary.

However, analysts say the combination of data fragmentation and unstructured data hoarding within organizations will make it incredibly difficult for companies to comply with these provisions. The lack of visibility into dark data and information held outside of corporate IT systems complicates compliance. In a recent survey of 400 U.S. and European companies conducted by the market research firm Vanson Bourne, 85 percent of CIOs admitted that it is difficult to know exactly where all their customer data resides.

The growing use of unmanaged cloud-based file storage and consumer file-sharing services have become particularly problematic. A quarter of respondents to the Vanson Bourne survey admitted to using cloud-based services such as Dropbox, Google Drive, Syncplicity or Microsoft OneDrive against their current company policies. Another 25 percent reported running unrecognized offsite file storage services, making it even harder for IT departments to manage their use with recognized tools.

There isn’t even a consensus on what comprises PII. Credit card, banking and health information are clear-cut examples, but what about IP addresses? PII is generally considered to be any information that can be used to distinguish one person from another. Jessica Rich, director of the Federal Trade Commission’s Bureau of Consumer Protection, noted in a recent blog post that persistent identifiers such as static IP addresses, MAC addresses and cookies should be regarded as “personally identifiable.”

Websites with data-capture forms fall within the scope of GDPR because they collect personal data. In a recent analysis of nearly 100,000 live websites, the security firm RiskIQ found that more than 30 percent would be in violation of GDPR because they are not securely capturing and processing personal data. In most cases, they were not using any kind of encryption or they were using very old encryption algorithms with known vulnerabilities.

Benefits of Compliance

With the deadline approaching, organizations should not waste time beginning their compliance efforts. They must assess the IT environment, identify weaknesses and correct any flaws. Organizations must either appoint or outsource a data protection officer to oversee data management processes.

“Good data management practices are key to GDPR compliance success,” said Carla Arend, Program Director, IDC. “Understanding where you have personal data — in which applications, on-premises or in the cloud, which processes use this data, and who owns it — is an important first step.”

Although compliance will require significant time and resources, the new regulation shouldn’t be seen just as a burden. It also presents an opportunity to improve operations and create competitive advantages.

Data quality is a key benefit. Poor data quality and haphazard data organization often keep data analytics from reaching its full potential. By forcing refinements in data collection and storage practices, GDPR can help organizations analyze data for deeper insights, improved workflows and cost efficiencies.

Improved data security delivers incalculable benefits. It reduces the risk of a breach, protects valuable data and diminishes the chance of financial losses from fines and remediation costs. Data security also improves an organization’s reputation and boosts customer relationships.

GDPR compliance poses a challenge for companies of all sizes, but organizations should remember that the law’s objectives are ultimately complementary to the objectives of most executives and organizations. Ideally, compliance should be seen as an investment that also helps an organization improve its ability to manage and protect its valuable information assets.