The European Union’s General Data Protection Regulation (GDPR) becomes law on May 25, 2018. This far-reaching regulation shifts the focus of ownership of data back to individuals – a boon to citizens, but a nightmare for today’s companies and organizations that must comply regardless of their physical location as their global digital footprints expand.
According to Crowd Research Partners’ 2018 GDPR Compliance Report, only 40 percent of organizations are either GDPR compliant or well on their way to reaching compliance by the May 25, 2018 deadline. If your organization is not among the compliant, you might be mired in what Deborah Hurley, a faculty member in the Brown University Executive Master in Cybersecurity (EMCS) program, refers to as one of the Seven stages of GDPR. The following is a condensed version of how she describes these stages in a recent EMCS Podcast. Perhaps these stages will sound or feel familiar.
Stage 1 – Shock and disbelief
The GDPR was adopted in 2016 with a two-year implementation window so that governments could get their legislation in order and companies could get to work on compliance. But even with a two-year warning, many companies are still either stunned with disbelief or in a state of full-on shock.
Fueling this problem is the fact that many U.S. companies don’t understand the full scope of the GDPR. Often you’ll hear leaders say that they don’t have offices in the EU, therefore they aren’t affected by the regulation. But the scope of the GDPR is quite broad; it applies to companies with business operations in an EU member country, but also to those that offer goods and services to EU residents — even if they’re free. Take, for example, a website that gives information about horoscopes and collects visitors’ information; the GDPR applies to that site if any of those visitors live in an EU member country. If your organization collects information — personal data and even behavioral data (where visitors click on a web page, how long they stay on a page, etc.) — about a resident of an EU country, then the GDPR applies to you.
Stage 2 – Denial
Despite this rather straightforward definition of which companies are affected by the GDPR, many remain in a state of denial. They think that regulators will go after the big fish – companies like Facebook and Google – because the penalties that those organizations would pay are much more substantial. The GDPR penalty for noncompliance or violation is 4% of the organization’s global turnover or 20 million euros, whichever is larger. So yes, that makes Facebook and Google interesting targets. But it doesn’t mean regulators won’t bother with the rest.
And it’s not just fines that regulators can impose. They can stop the processing of personal data if they find an organization is in violation of the law. They can stop the transfer of personal data outside of the EU to a third country. And they can also stop business operations or bring lawsuits against violators. So they have a whole suite of enforcement abilities at their disposal.
Still, many companies opt to simply decide that they are, in fact, compliant and ignore all reasoning and rationale. Instead of working through these stages of GDPR to arrive at a positive outcome, they’re sticking their heads in the sand.
Stage 3 – Pain
In this stage, as the shock wears off and denial gets old, companies start to wonder what they did to deserve such misery. They ask almost existential questions about the GDPR: Why is it being enforced? Does it have to apply to us? Do these regulators know how much it’s going to cost us to become compliant? Is this some sort of sick joke?
Stage 4 – Anger
The noncompliant become defiant during this stage. Executives wonder aloud, “Who does the EU think they are? They can’t tell me what we can and can’t do with information that we collect!” Well, unfortunately, they can.
Stage 5 – Bargaining
The noncompliant might also start to make bargains with higher forces that they know they can’t adhere to, like “Just let us be compliant and we’ll stop postponing our data governance initiatives!” Or they might think “We’ll just get our consultants to do it all!” Neither approach constitutes a compliance strategy.
Stage 6 – Depression
As it begins to sink in with the noncompliant that they can’t change their status overnight, there’s a feeling of hopelessness. And this feeling is fed by irrational thoughts that make the problem seem worse than it is. People think “Wow, this is unlike any regulation we’ve ever seen before, how will we deal with it?” When, in fact, it didn’t come from anywhere. The GDPR is actually part of a continuum of legislation to protect personal data and privacy that’s been going on for more than 40 years. So, it’s an incremental amendment to a global trend, rather than something altogether different, and it’s important for people to realize that. It adds perspective.
Stage 7 – Acceptance and hope
Once organizations have hit rock bottom, they may be able to begin to turn around and realize it’s time to assess and rebuild. By taking a good, hard, honest look at whether their organizations are affected by the GDPR, they can start to get a handle on compliance. Understanding the penalties that they might be up against and weighing them against the cost and effort required to become compliant, is also helpful. Then they can begin mapping out a plan.
Professor Hurley’s excellent encapsulation of GDPR helps us think about GDPR from the standpoint of a familiar model.
In brief, these are the steps to meeting the GDPR technical requirements:
- Perform initial readiness assessments
- Create a data mapping inventory
- Perform privacy and data protection impact assessments
- Address website tracking notifications and consent
- Put in place mechanisms for users to easily request personal data
There’s a lot to consider and forging a path to GDPR compliance takes more than technical know-how. It requires an understanding of policy and legal issues, customer relations, human behavior, and other factors. It requires cybersecurity leaders working together with their executives to come up with a plan— it may sound like quite a few steps, but it sure beats ignoring and suffering the legal and financial consequences.
Take Action: Next Steps…
LEARN HOW TO LEAD ACROSS LAW AND POLICY, AND MORE FROM INDUSTRY AND ACADEMIC EXPERTS LIKE PROFESSOR DEBORAH HURLEY AND ALONGSIDE SEASONED CYBER PROFESSIONALS IN BROWN UNIVERSITY’S EXECUTIVE MASTER IN CYBERSECURITY. THIS 18-MONTH DEGREE PROGRAM CULTIVATES HIGH-DEMAND INDUSTRY EXECUTIVES WITH THE UNIQUE ABILITY TO DEVISE AND EXECUTE INTEGRATED, COMPREHENSIVE CYBERSECURITY STRATEGIES THAT SPAN CYBERSECURITY’S GLOBAL, TECHNICAL, HUMAN, AND POLICY CHALLENGES.
source: Brown University