On May 25, 2018, the EU General Data Protection Regulation, better known as GDPR, takes effect. It promises to be the biggest data privacy disruption and benefit to consumer data privacy protection worldwide.
Tens of millions of companies are estimated to be affected from those headquartered in the EU to any foreign entity doing business in and with the EU.
AccessData approached the topic in its third webinar of three with host Matt Kelly, CEO and editor of Radical Compliance, Zoltan Precsenyi, director, government affairs for EMEA with Symantec in Belgium, and Catherine Castaldo, global chief privacy officer, Nuance Communications, and formerly with General Electric.
In a nutshell, GDPR covers the entire spectrum of data from its creation throughout its lifecycle. Within the regulation, a complete rulebook guides data governance while covering how data is managed, processed, protected and what to do with it after it is no longer needed.
“Many executives have not been ready to jump on board the GDPR train until now,” said Catherine Castaldo of Nuance Communications. “We’re seeing corporations with extensive global operations struggling to comply with GDPR.”
The GDPR Bill of Rights
A variety of consumer rights is built within the regulation. European consumers have the privilege of learning these rights to ensure personal data protection or they can “risk ignorance” as Zoltan Precsenyi, of Symantec, warns.
Each consumer is protected by a lengthy list of provisions, including:
- Be informed and have access to data collected about them
- Rectify incorrect data
- Restrict processing and portability of data from where it’s stored
- Erase personal data or be forgotten
“All EU residents must be aware of GDPR and be able to invoke their rights as private citizens,” said Precsenyi. “People have a fundamental right to free privacy claims without delay. GDPR has an extensive notion of personal data tied either directly or indirectly to an individual that goes further than business intelligence.”
Symantec research shows that 20 percent of companies are confident in their preparation for GDPR by the May 2018 deadline, while 80 percent lag behind.
“There are many challenges with the consumer rights being written into the regulation, and it’s a big task,” stated Castaldo. “What’s difficult for data privacy and information governance experts to comprehend is how to track managed data of all kinds, what processes to put around it, and grasping how much there is to process. Many boards struggle to understand this complexity.”
GDPR Non-Compliance Offers Great Penalty
The fines associated with non-compliance fall into two categories of sanctions—minor or technical and major violations. Each can range from about €12 million to €20 million and above. Should individuals suffer damages from non-compliance, untapped liability may ripple across the value chain, adds Precsenyi.
Castaldo says that although GDPR is oriented to privacy, it mandates a data governance program. Companies can begin with the basics of data mapping, data sources and collection points.
“Knowing what data you have is the first place to start. After that, map out where it is and how it’s collected,” said Castaldo. “Find the gaps and look for things to update. Leverage what you have, get your house in order now.”
Precsenyi offers a slightly differing perspective from that of the consumer.
“Risk assessment is not the wheel that needs reinventing,” he says. “These methodologies are relevant, but GDPR requires more homework because it focuses on one type of risk and any harm to processing of information about individuals. I encourage data mapping against consumers, and always do the right thing and demonstrate that you did.”
Mounting Pressure on Third-Party Vendors
Both Castaldo and Precsenyi agree that GDPR will bring a new layer of pressure on third-party vendors and smaller companies. Independent oversight may be helpful in preparing vendors and companies for GDPR, but the biggest task at hand is wrapping heads around the complexity of the regulation.
“There’s no silver bullet,” said Precsenyi. “Experience may cull the crop of vendors that are prepared to meet GDPR directly, and a lot of that preparedness depends on the internal privacy champions.”
GDPR impacts all business functions where there is personal data. The structure and size of an organization influences how well it organizes compliance programs relating to GDPR. Certainly, success begins from executive-level endorsement and sponsorship of the effort. Beyond that, a senior coordinator needs to hold people accountable to the action plan.
Looking ahead, each company must quickly ascertain its resources to assign a chief data privacy officer or outsource the function to be in compliance. What’s likely keeping executives up at night, however, is not whether to hire but where to find the talent.
Hear the conversation, hosted by Matt Kelly of Radical Compliance and his guests Zoltan Precsenyi and Catherine Castaldo here: