Preparing for the Next Wave in Data Privacy
June 01, 2018
Case categories include: Finance Human Resources International Business Marketing Operations Sales Strategy & Planning Technology Trends
By Warren Lutz
It’s being called the most important privacy regulation ever. Companies across the globe are talking about it—and hardly anyone is ready.
Ready or not, on May 25th, the General Data Protection Regulation (GDPR) took effect, establishing new requirements for protecting the data and privacy of European Union residents. But GDPR doesn’t just impact European businesses—it applies to any company, no matter where it is located, that offers goods and services and handles data on European customers. It also requires companies to delete a consumer’s data upon request.
While it’s too early to tell what the true ramifications of this sweeping new law will be, the potential liability is enormous. Non-compliance can cost an organization up to 4 percent of its global revenue. The problem is that many companies don’t know where to begin to comply, even though the law is already here.
Christy Wyatt, CEO of Dtex Systems, a provider of user behavior intelligence that detects insider threats, says that GDPR requires organizations to take precautions to protect their customers’ data. Many organizations don’t have a clear handle on the data they have—nor are they well suited to find all of it, she points out.
“In order to get to the conversation on how to protect data, you need to know where it is, how much there is, and what's available to you,” she said. “That could be a year's worth of investment, and it’s not fun work.”
Wyatt recommends caution before partnering with one of a growing number of GDPR compliance providers. “Many of these companies claim to have the answer. The best strategy is to go to your consultants, your lawyer or your accountant, and have them brief you on where they see a risk,” she said. “Organizations should be looking at the personally identifiable information (PII) they are collecting, who has access to it, and where it’s being stored. Then look for solutions that deploy quickly, easily and that have a short runway.”
Solutions should include an updated data policy—but policies can’t guarantee that data will remain safe. “Data security is a process, and there’s no end state,” Wyatt said. “You must constantly look at what might happen and take proactive steps. If your organization is breached and regulators find that you had a healthy security posture when it happened, and something just fell through the cracks, the outcome will likely be better than if you never did anything.”
Ersin Uzun, Vice President of R&D at Palo Alto Research Center (PARC), which helps companies develop technology, says there is a sense that GDPR is the first of more regulations that will change the dynamics of how organizations handle data. “All the informed players that I’ve been interacting with, expect this to be just the beginning,” he said. “There is a little bit of panic right now."
One of the problems, Uzun said, is that data storage has become so cheap that many companies simply decide to gather as much data as they can “and figure out if it has value later.” But GDPR requires companies to only collect data that is relevant and necessary to running their business. “There is a cost associated with trying to keep data ‘lakes,’ because now you’re responsible for keeping that data up to date and to store data only for a limited time for a justified business purpose,” Uzun said. “There are explicit requirements about preventing unauthorized access, give users an option to be forgotten or opt-out and there are fees for not complying. All of this creates a potential big liability for companies that continue their current data storage practices, even if they only do business in the U.S. but have data in their systems about EU citizens that might be visiting or living here.
In addition to stronger penalties, Himanshu Dwivedi, CEO & Founder of Data Theorem, a mobile application security provider, says GDPR will force organizations to create a new position – Data Privacy Officer. “That’s the new role we’re going to see among Fortune 500 companies, and he or she is going to be the main fall person in case something happens,” Dwivedi said.
But it may be awhile before anyone understands what a “something happening” might be. Dwivedi compares GDPR to HIPAA, the groundbreaking healthcare privacy law rolled out in the 1990s. “It wasn't until a couple of years later that organizations understood what they needed to do or not do,” he said. “With GDPR, it’s too early to tell what the impact will be. When someone has to dish out a portion of their revenue as a fine, that’s when we’ll truly know what we’re in for. But at this point, it’s speculation.”
Ian Cohen, General Manager of Experian Consumer Services, believes GDPR and other recent data privacy laws could have an impact like what seat belt laws did for the automobile industry. Not only did seat belts make driving safer, he said, they helped certain car companies like Volvo use safety as a differentiator. “Seatbelt laws totally transformed the market. It wasn’t just about the regulation, even though it started out that way.”
So, do GDPR and other data privacy regulations create opportunities for companies? Likely yes, for some, says Cohen. “Like all new regulations, it will depend on how it’s rolled out, interpreted and enforced. If the primary effect is just a large legal bill that becomes the price of admission that only large companies can afford, that will stifle innovation and would be a real shame.” However, if it opens the door to new protocols that make the internet safer, better and fairer, as I hope it will, it will create new opportunities for innovation that I think is long overdue. Consumers want and deserve more control over their data and identities than the current protocols allow. A forcing function always pushes the envelope, so whether by zeitgeist or regulation, change is coming.”
To be compliant with GDPR or any data privacy regulation, organizations “really need to understand what they’re holding onto and why,” Cohen said. They should also ask whether the data privacy policies they create make sense. “Can you explain it at a dinner party?” he said. “If you can't, you could end up in a lot of trouble.”
Ju-kay Kwek, Co-Founder and CEO of Switchboard Software, a provider of enterprise data automation software, says the key to data privacy compliance is not just securing data, but managing and tracking PII in particular. “We advise our customers against handling PII unnecessarily,” he said. “In cases where it’s inevitable, we provide customers with a clear picture of what they have and a paper trail of what has happened to it, so there is visibility and transparency.”
The problem for many companies, Kwek said, is that they may not have had data protection policies in place when they began collecting data. “Things like logging, monitoring or documenting data can be an afterthought. Unless those aspects are considered from the beginning, they won't be present when needed,” he said.
Kwek asserted that responsibility for protecting data privacy starts at the top of the organization. And that leadership should be asking themselves exactly what data they’re collecting, as well as what they’re doing with it. But simply looking at data privacy as a mere compliance issue may not be sufficient to ensure data protection. “The important thing here is, it’s not purely a technology issue,” he said. “It’s a legal issue, it’s an ethical issue, and it’s a process issue in terms of how you organize and run teams. Most importantly it's a culture issue. If companies embrace data privacy from an ethical standpoint, a lot of these regulations start to make sense.”
GDPR has become such a hot topic that Ted Elliott, former Chairman and CEO of Jobscience, an ERP for staffing businesses with compliance monitoring systems for recruiting firms, has published YouTube webinars to clear up any confusion about the new law. “We tend to have a lot of companies that were very nervous about compliance requirements, so we tried to do a series of talks that go over what was urban lore and what was reality.”
If U.S. companies are worried about GDPR and feel they are not ready, they can take comfort in how companies in Europe are preparing. Elliott says European surveys found only a third of companies were ready. “It was clear that a lot of people didn’t have a clue what it took to be compliant,” he said. Elliott said most companies simply need to have best practices in place, and make a noble effort to comply. He recommends that companies educate themselves on the new rules and find out how they currently handle data. Next, they can go to their attorneys or consultants and ask for any model policies they have on hand. Finally, they should provide employees and third parties with access to the policies and create corrective actions when there has been a violation. “You want to show you did something to fix it and aren’t just putting polices in place for an auditor to check off a box.”
Clearly, being aware of new data privacy regulations doesn’t mean an organization is prepared for them. But by asking the right questions and getting a handle on their current data management practices, companies can at least form the basis of a defense. At best, they can leverage new data privacy standards to find ways to innovate and spur growth. Like anything else, GDPR can be an excuse for failure or an opportunity to take things to the next level.