The Clock Is Ticking: Is Your Company Ready For GDPR?

Overview

Large technology companies being confronted by consumer privacy concerns have catapulted the issue of personal data protection into the global spotlight. Around the world, regulators have been stepping in to strengthen rules governing data protection. The European Union has been taking decisive action to make sure its citizens’ data is safe. The General Data Protection Regulation (GDPR), which comes into law on May 25, 2018, aims to crack down on the misuse or theft of personal information.

Businesses falling foul of GDPR face stiff penalties – €20 million ($25 million) or 4 percent of annual revenue, whichever is greater – not to mention reputational damage. Any company that processes the personal data of EU citizens, including those with fewer than 250 employees, will need to adapt its organizational and operational structures. Despite the threat of such severe fines, few companies appear ready. Recent reports found that two-thirds of companies aren’t prepared for GDPR despite months of planning.

The clock is ticking. Companies both large and small should waste no time minimizing their risk exposure and preparing for compliance. And though the danger of noncompliance looms large, the new regulations also present opportunities for those willing to meet them head-on.

In Depth

Any company, no matter where it is based, that holds European customer data will be covered by GDPR. That’s not all. The regulation will mean a sea change in how data is collected, stored and used.

As such, the new regulations will affect virtually every industry, from cloud computing to retail, health care to insurance. Even companies that have spent months implementing the proper controls and processes for when GDPR goes into effect are experiencing uncertainty.

The sheer volume of information written in the media in response to GDPR contributes to this uncertainty. For example, there’s a difference of opinion as to whether the hefty fines will actually be enforced or if some sort of grace period will be extended. However, the recent 2018 Cybersecurity Predictions from Aon’s Cyber Solutions notes that regulators are expected to be quite stringent.

Beyond Borders: Data Protection Laws Vary Throughout the Globe

The enforcement of similar regulations, such as Australia’s Privacy Act of 1988 – itself amended as the Privacy Regulation of 2013 and again as the Privacy Amendment Act of 2017 – illustrates the types of challenges companies must overcome to be GDPR-compliant. As a matter of comparison, in the first six weeks following the enactment of Australia’s updated Privacy Act in 2017, 61 companies made formal notifications of data breaches to the Federal Privacy Commissioner, according to Fergus Brooks, national practice leader for cyber risk at Aon Australia.

Brooks also noted that despite having to meet an Australian data protection law that came into effect in February of this year, many Australian companies who handle European clients’ data weren’t adequately prepared for GDPR. “Australian businesses are as a rule … well behind where we need to be,” said Brooks.

Although the laws are regional, there is global application. All companies will be affected in one way or another – even in the United States.

Compliance Risk Exposures for Different Types of Businesses

Brooks believes that such regulations should be viewed as borderless. “In today’s interconnected world, there are global implications to local laws. Simply put – if you have personal records of customers, they need to be protected,” he said. Still, different types of businesses will have to address risk exposure in different ways.

Multinational corporations

According to iapp, Fortune Global 500 companies are prepared to spend $7.8 billion to ensure compliance with GDPR. That investment will likely be spent in the following ways:

Enhancing comprehensive strategy for data privacy
Investing in new technology and hiring employees with specific skill sets
Fighting litigation or collaborating with compliance organizations

Small and midsize enterprises

A recent International Data Corporation report revealed that fewer than half of European SMEs are prepared for GDPR. Indeed, some 4,000 of these companies have already been affected by data breaches. To gain a competitive edge when it comes to data privacy, SMEs will need to tackle the following issues:

Determine how data is collected and used
Update and revise privacy agreements and handling and storage practices
Stay abreast of legal precedent

B2C and B2B risk profiles

B2C and B2B companies have different relationships with their customers, and this dynamic should be considered in relation to the collection and use of personal information. Both types of companies will need to consider the following:

When business data is personal data
Email marketing: Opting in/opting out
User consent and the right to be forgotten

How to Adapt to GDPR

In a recent Financial Times article, Vanessa Leemans, Chief Commercial Officer, Aon Cyber Solutions EMEA, said, “GDPR legislates a complete restructure of how personal data is stored and used – and, crucially, will hold companies more accountable for the data they hold.”

Effective organizational change begins from the top down. The chief information security officer and chief risk officer will play increasingly important roles in developing strategy and ensuring organizational health. Smaller companies without a c-level executive focused on data security or risk might consider hiring a data protection officer. Ideally, the DPO should be someone with cyber knowledge and expertise who can also conduct privacy risk–impact assessments.

Using GDPR Compliance to Strengthen Customer Relationships

Public opinion on data privacy is changing, and customers are increasingly placing importance on how a company protects their personal information. Leemans states that while regulations such as GDPR do create challenges, they also bring opportunity: “Companies can use regulations as opportunities to show how much they value customers.” She continues, “GDPR provides companies with the chance to reinforce their role as responsible stewards of personal information and to craft innovative privacy and security policies that better reflect the constantly evolving needs of digitization.”