Finally, after years of waiting, the General Data Protection Regulation (GDPR) goes into effect tomorrow, dramatically changing the rules for what you can and can’t do with the personal data of European citizens. Here are some final thoughts on the state of readiness, the scope of the impact, the biggest challenges, who will come out of this looking good, and who will not.
We’ve had years to get ready for May 25, 2018, the day selected by the European Union government back in 2016 to put GDPR into full effect. The law has far-reaching consequences into how organizations can collect, store, and process the personal data of EU citizens. Companies everywhere must abide by GDPR to protect data of all EU citizens, no matter where in the world they happen to be.
The GDPR requires companies to:
- Spell out clearly how they intend to use people’s private data;
- Get permission (or consent) to use it;
- Take pains to store data securely;
- Notify people promptly when data is lost or breached;
- Promptly fulfill requests for data collection and usage from EU citizen; and
- Delete data at user’s request, per the “right to be forgotten” rule.
Fines of up to 4% of the company’s annual revenue can be levied for each violation, not to mention possible criminal charges, which gives companies ample incentive to comply with GDPR. But despite the financial motivations and the copious lead time, many companies – particularly those outside of Europe — are not ready for GDPR. In fact, many are now scrambling to make progress in a short amount of time, in the hopes that auditors, should they come around, will see they’re making a good-faith effort to comply.
Final Countdown to Preparation
How many companies will be ready for GDPR tomorrow? Several surveys paint a picture of big gaps in readiness. According to a March survey of 302 C-level security execs by London-based security software firm Netspaker, 49% of the respondents are at least three-quarters of way through the process, while a little more than one-third are halfway there.
A survey last month by IASCA (formerly known as Information Systems Audit and Control Association) found that than only one in three organizations in the EU would be ready on May 25. Companies in the pharmaceutical and advertising/media sectors were furthest ahead with their GDPR compliance efforts, the IASCA’s GDPR Readiness Survey found.
In the last week, companies have scrambled to assess their vulnerability to GDPR, says Brian Vecci, a technical evangelist at Varonis. “While some companies have prepared for the GDPR for months and even years, others have only recently realized they need to comply and have to scramble a bit to catch up,” he says. “A county police department that issues a traffic ticket to a French citizen, a hospital that treats a German patient or a university enrolling students from the EU — all could be held accountable.”
Varonis conducted a recent survey that found 58% of companies have more than 100,000 folders open to everyone in the company. “It’s clear that a lot of companies aren’t even doing the basics and are setting themselves up for problems later this summer,” Vecci writes.
Because GDPR is such a far-reaching law that requires companies to make changes to their internal business processes, it’s not surprising that some companies have made more progress in building GDPR compliance into some business processes than others.
According to a February survey of 1,200 IT executives and personnel by Commvault, only 18% of organizations said they had the capability to delete personal data from all data stores when a EU citizen requests it. The survey also found that only 8% of respondents believed that could collate and export data from their organization to a third party at the request of individuals. Data discovery and mapping was the biggest area of concerns for executives, according to IASCA’s GDPR Readiness Survey.
Market Opportunity for Vendors
GDPR is also providing a fertile ground upon which data management and analytic tool vendors can build products that purport to help companies with complex compliance requirements.
For example, Arcadia Data this week claimed that its flagship Hadoop-based analytic software is helping companies comply with the regulation by implementing certain data management standards, such as granular access controls and column-level security controls.
Arcadia co-founder and chief product officer Priyank Patel says GDPR will not be kind to companies that use “legacy” BI and analytic practices. “Legacy processes can increase the risk of failing to meet compliance standards, especially because data is often moved from silo to silo within those environments,” he says. “As a result, businesses must turn to modern data solutions with built-in compliance standards that make the data analytics environment less complicated.”
Another vendor hoping to leverage GDPR preparedness as a differentiating factor is C3 IoT. Yesterday the company announced Trūata, which was established by IBM and Mastercard earlier this year as a “GDPR-compliant data analytics services company,” has selected C3 IoT as its primary technology provider.
CARTO, a a data analytics startup based in New York City and Madrid, Spain, is hoping to capitalize on a need to protect location data. “Not all data is the same!” states CARTO, which is based in New York City and Madrid, Spain. “As location data becomes more prevalent, organizations will need to develop a plan for responsibly collecting, storing, and using it.”
A Silver Lining for Data
There has been much discussion about whether GDPR is good public policy that will protect individual rights or regulatory overreach that will stifle innovation in the emerging data economy. There is certainly a cost to becoming GDPR compliant – 37% of firms spent $5 million or less, while 27% spent less than $1 million, according to IASCA’s GDPR Readiness Survey.
Considering how much freedom companies historically had with big data projects and how little regulatory oversight there has been up to this point, it’s reasonable to assume there will also be lost opportunity costs associated with GDPR. The
“Prior to GDPR, savvy marketers decided what customer data was appropriate and how much of it they wanted to use…often to the consumers’ detriment,” says John Timmerman, a global industry evangelist with Teradata. “After GDPR goes live, the consumers decide what data the marketers get to use and how much of it they get to keep. This is actually a good thing for both the consumers and the businesses, although it represents the biggest immediate challenge for the latter.”
Regardless of who it benefits, GDPR is now the law, and data-loving organizations flout it at their own peril. The best course forward for companies that expect to do business with European Union citizens anywhere in the world is to ensure their data management and analytics processes match up to GDPR expectations. The good news is that treating GDPR as a best-practice will have long-term benefits to an organization in the form of better customer relationships, according to Matt Bertenthal, a senior privacy counsel at Medallia, which develops a customer experience management platform.
“The more an organization can do to demonstrate that they are being responsible and transparent about collecting, storing and using consumer data, the more willing consumers will be share it to enable a richer experience,” Bertenthal says. “GDPR creates a model for more responsible data collection, but following these general principles, regardless of regulation, is a best practice for creating and maintaining long-lasting relationships with customers.”
Regardless of whether or not your company is ready for GDPR tomorrow, it’s more important to consider the wider arc of history that’s currently playing out with regards to the collection and use of data early in the 21st century. “What we have to remember is that May 25 is not a ‘pencils down’ moment,” says Jen Brown, Sumo Logic’s data protection officer. “It’s the opposite — a continuation of our new era of digital privacy and awareness.”