The GDPR 90-Day Countdown is on! (No Need to Freak Out)
February 26, 2018
May 25, 2018 is a day that many organizations have (or should have) marked on their calendars as a game-changing moment for their business. That’s the “go-live” date for the European Union’s General Data Protection Regulation (GDPR). As I previously wrote, this truly is a groundbreaking piece of legislation that should be taken very seriously. And if you read the countless GDPR-related research reports and surveys, it’s clear that few (if any) US companies impacted by the regulation will be fully compliant in the next 90 days.
Yet, I’m here to tell you there is no need to panic.
But if virtually no organization is fully GDPR compliant by May 25, how does one properly assess GDPR risk? This is where it is critical to understand the cultural differences between US and EU regulators. US regulators tend toward absolutism—you are either fully in compliance or you are not. EU regulators are more nuanced and focused on “intent to comply” rather than literal box-checking compliance. Because of this, May 25 should not be interpreted as a date for full GDPR compliance. Rather, it is a date where companies must be able to prove their intent to comply. To do this, following are three objectives organizations should achieve by May 25.
Goal 1: Know where your GDPR-relevant data is located. Companies need to understand where this data is located, and who has access to it. Once you know this, you can start taking the appropriate steps for protecting that data. You can walk into your legal department and say, “I’m collecting this kind of data from EU citizens,” and ensure they have the right contracts in place to authorize that kind of data collection. Then you can make sure you have the right process controls in place to protect the data. Knowing where your data is located, making sure your data collection practices are legal, and having the controls in place to protect that data are all key milestones to have in place by the May 25 deadline.
Goal 2: Develop a compliance plan. This is where we get into the difference between US and EU regulators. As I said earlier, US regulators lean toward the “absolutist” side of the house, while EU regulators view GDPR compliance as a process. As such, having a compliance plan in place by May 25 will dramatically reduce the risk of penalties. You won’t be in full compliance with GDPR, but being able to hand an EU regulator a compliance plan and say, “Here is how we plan to get to GDPR compliance,” will do a world of good. So, when you think about it, if you achieve goals 1 and 2, you can say to a regulator, “I know where my data is located, I know who has access to it, I understand my controls, I’ve confirmed my collection processes are legal, and I can report on all of this.” For the initial stage of GDPR, having a plan should keep your company out of immediate trouble.
Goal 3: Prioritize GDPR with the rest of your security program. This does not fall under the literal “GDPR compliance” category, but it is important not to repeat the mistakes of the past. With other major regulations like HIPAA, Sarbanes-Oxley and PCI, too often companies would drop everything and just focus on achieving compliance. In doing this, they neglected other parts of their security programs, causing the self-defeating situation where achieving compliance actually made them less secure. This is why we saw an explosion of medical data breaches even when most healthcare organizations were in compliance with the HITECH Act. As companies draw closer to the GDPR deadline, it is critical to build a strategic plan that prioritizes GDPR activities against everything else that needs to be done in the security program. This way you can meet your core security requirements while moving toward GDPR compliance.
Let me be clear. The EU is going to be penalizing companies. I fully expect regulators to make examples out of organizations that are woefully out of compliance, and the penalties are going to hurt. But if companies can achieve the above-listed goals, they will not be deemed “woefully out of compliance” and can progress down the road to GDPR in a safe and sane way—making that May 25 deadline much less daunting.