- Operational: If you haven’t agreed on what your processes will be with a vendor, it’s not clear how you will be operating under GDPR.
- Vendor management: Under GDPR, you need to know how your vendors operate including their security framework and how they manage data. Without that knowledge, you don’t know the risk they present.
- Regulatory fines: Lewis notes that the EU is known for its willingness to levy steep fines for regulatory non-compliance. If a breach occurs, not having contracts in place might well work against the company. “Not having a contract is an indication you don’t know what your vendors are doing, and that is a larger management issue about what infrastructure you’re using and how you’re treating the data,” says Lewis. “It gives the regulator an idea of how organized you are and how well you understand your data flows.”
What happens if my company is not in compliance with the GDPR?
The GDPR allows for steep penalties of up to €20 million or 4% of global annual turnover, whichever is higher, for non-compliance. However, most of the fines imposed so far have been relatively small.
According to GDPR Enforcement Tracker, the EU has issued 282 fines as of May 29, 2000. The vast majority of those fines are in the low thousands and tens of thousands euro range. The largest fine has been against Google, imposed in January for €50 million, according to DLA Piper's GDPR Data Breach Survey from January 2020. That fine was issued for lack of transparency and valid consent.
Regulators have admitted that they do not have the resources to handle the volume of reported breaches they've received, so it will take time for identifiable precedents to be established. Adding to that uncertainty is the perceived inconsistency of applying fines among the different ICOs. "Ask two different regulators how GDPR fines should be calculated and you will get two different answers. We are years away from having legal certainty on this crucial question," said Patrick Van Eecke, chair of DLA Piper's international data protection practice, in the company's report.
For now, the ability to show a good-faith effort to comply should protect companies from harsh penalties. In a speech in 2018, Liz Denham, the UK information commissioner, had this to say to organizations concerned about GDPR fines:
“…I hope by now you know that enforcement is a last resort.... Hefty fines will be reserved for those organizations that persistently, deliberately or negligently flout the law. Those organizations that self-report, engage with us to resolve issues, and demonstrate an effective accountability arrangement can expect this to be a factor when we consider any regulatory action.”
Which GDPR requirements will affect my company?
The GDPR requirements will force U.S. companies to change the way they process, store, and protect customers’ personal data. For example, companies will be allowed to store and process personal data only when the individual consents and for “no longer than is necessary for the purposes for which the personal data are processed.” Personal data must also be portable from one company to another, and companies must erase personal data upon request.
That last item is also known as the right to be forgotten. There are some exceptions. For example, GDPR does not supersede any legal requirement that an organization maintain certain data. This would include HIPAA health record requirements.
Several requirements will directly affect security teams. One is that companies must be able to provide a “reasonable” level of data protection and privacy to EU citizens. What the GDPR means by “reasonable” is not well defined.
What could be a challenging requirement is that companies must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected. Another requirement, performing impact assessments, is intended to help mitigate the risk of breaches by identifying vulnerabilities and how to address them.
For a more complete description of GDPR requirements, see "What are the GDPR requirements?".
What does a successful GDPR project look like?
It’s hard to imagine a company that will be more affected by GDPR than ADP. The company provides cloud-based human capital management (HCM) and business outsourcing services to more than 650,000 companies globally. ADP holds PII for millions of people around the world, and its clients expect the company to be GDPR compliant and to help them do the same. If ADP is found non-compliant with GDPR, it risks not only fines but loss of business from clients expecting ADP to have them covered.
ADP’s global focus and scale in some ways has been an advantage. It already adheres to existing privacy and security regulations, so the leap to GDPR compliance is not as high as it might have been. “We are already familiar with privacy laws in Europe. We are not starting from scratch with GDPR,” says Cecile Georges, chief privacy officer for ADP. “GDPR triggers the need for us to comply not just as a company, but also as a service provider. We help our clients comply with GDPR.”
Despite ADP being better prepared than many other companies, Georges says its GDPR project is large and global. It began about a year ago, but the project builds on earlier work. “We started even before GDPR was discussed,” she says. The company began data flow mapping and privacy assessments on new products several years ago.
Georges sees the early start on data flow mapping as key. “If we had not started the data flow mapping a long time ago, I would be less confident than I am speaking to you now,” she says. “Data flow mapping is required to do inventory of products, and processing PII is a first step to data protection impact assessments that are required. We’ve also implemented privacy by design in our new offers and products.” She adds that ADP supports its “privacy by design” policy with training for its developers.
ADP’s GDPR project pulls in people from many areas of the company, and Georges believes this is necessary for success. “We are involved in the organization, all the operations, and the functional groups. It’s not just a pure privacy or compliance project. It really involves the entire organization and we are coordinating with project managers across the company to make sure we implement the right processes across the organization,” she says.
Mechanisms for securing PII such as encryption are already in place at ADP. “From a security standpoint we came to the conclusion that it’s more about communicating with our clients, making sure they have the right information about what we are doing,” says Georges. “They may have to convey that message to their employees or to their own clients.”
Because ADP is a data processor for other companies, ADP has taken the optional step of defining Binding Corporate Rules around protecting PII. “With the implementation of Binding Corporate Rules as a data processor, we hope that our customers understand that we want to make their lives easier and we commit to protect their personal data in accordance with the standards required in the EU, regardless of where the European data is processed, accessed, or hosted” says Georges.
Georges says she hears from other companies that aren’t yet on track for GDPR compliance. “The clock is starting to tick,” she says. “If a company has not started to look into what they need to do, they first need to understand what it means for them in terms of their business. Understand first to what extent they are affected by the new regulation and then do a gap analysis. That is the starting point of any project to assess what they need to do.
She also encourages companies to take an operational approach. “My recommendation is to have representatives of all the functions in the organization and not consider it a pure privacy or pure legal compliance project,” Georges says. “It would take too much time for operations to understand exactly what they need to do, whereas if you involve them from the beginning they can tell a lawyer or privacy professional, ‘We are already doing this,’ or ‘Technically, we can’t do this, but this is how we can address this requirement.’”
“There are different ways of applying GDPR depending on your business and the tools you have in place. The business people can assess that,” says Georges. “Once they have done the assessment and decided what to do, then they have to document what they are doing.” Georges is referring to the GDPR’s accountability principle, which requires companies to document how they’ve become compliant. “The documentation piece will be key.”
What should my company be doing to stay GDPR compliant?
If your organization is not confident of its regulatory compliance status, and you have determined a significant risk from non-compliance, following these steps can get you on the right path.
Set a sense of urgency that comes from top management: Risk management company Marsh stresses the importance of executive leadership in prioritizing cyber preparedness. Compliance with global data hygiene standards is part of that preparedness.
Involve all the stakeholders. IT alone is ill-prepared to meet GDPR requirements. Start a task force that includes marketing, finance, sales, operations—any group within the organization that collects, analyzes, or otherwise makes use of customers’ PII. With representation on a GDPR task force, they can better share information that will be useful to those implementing the technical and procedural changes needed, and they will be better prepared to deal with any impact on their teams.
Conduct periodic risk assessments: You want to know what data you store and process on EU citizens and understand the risks around it. Remember, the risk assessment must also outline measures taken to mitigate that risk. A key element of this assessment will be to uncover all shadow IT that might be collecting and storing PII. Shadow IT and smaller point solutions represent the greatest risk for non-compliance; ignore them at your own peril.
And there are a lot of them. According to Matt Fisher, IT thought leader and senior vice president at Snow Software, more than 39,000 applications are known to hold personal data. “The iceberg effect poses a serious risk to organizations’ GDPR compliance as many are focused on the 10% of applications holding personal data that are visible at the water’s surface,” he says.
Fisher cites the change in how organizations allocate their IT and technology spend, with business units expected to own about half of it by 2020. “As IT teams lose sight of the applications in use across the organization, they lack overarching visibility into the applications that could threaten GDPR compliance,” he says.
“Getting started [on the risk assessment] is the biggest obstacle,” Fisher says. “As a first course of action, organizations must get a full picture of their entire IT infrastructure and inventory all applications in their estates. This, coupled with specific insight about which applications can process personal data, dramatically minimizes the scope of the project as well as the time spent on it. Suddenly, the impossible becomes possible.”
Hire or appoint a DPO if you haven't already done so: The GDPR does not say whether the DPO needs to be a discrete position, so presumably a company may name someone who already has a similar role to the position as long as that person can ensure the protection of PII with no conflict of interest. Otherwise, you will need to hire a DPO. Depending on the organization, that DPO might not need to be full-time. In that case, a virtual DPO is an option. GDPR rules allow a DPO to work for multiple organizations, so a virtual DPO would be like a consultant who works as needed.
Create and maintain a data protection plan: Most companies already have a plan in place, but they will need to review and update it to ensure that it aligns with GDPR requirements. Review and update periodically.
Don’t forget about mobile: According to a survey of IT and security executives by Lookout, Inc., 64% of employees access customer, partner, and employee PII using mobile devices. That creates a unique set of risks for GDPR non-compliance. For example, 81% of the survey respondents said that most employees are approved to install personal apps on the devices used for work purposes, even if it’s their own device. If any of those apps access and store PII, they must do so in a GDPR-compliant manner. That’s tough to control, especially when you factor in all the unauthorized apps employees use.
Document your GDPR compliance progress: “With the clock ticking, organizations must demonstrate that they are making progress against completing the Record of Processing Activities (RoPA)—article 30 of the GDPR regulation which is centered around taking inventory of risky applications—to avoid being an easy target for regulators,” says Fisher. “Establishing the RoPA, is the essential piece to focus on at this stage in the game as it enables organizations to identify where personal data is being processed, who is processing it and how it is being processed.”
Implement measures to mitigate risk: Once you’ve identified the risks and how to mitigate them, you must put those measures into place. For most companies, that means revising existing risk mitigation measures. “Upon taking inventory of applications and completing the RoPA, the GDPR team can now spot and investigate any risks associated with the data and determine the appropriate level of security deemed necessary to protect that data,” says Fisher.
If your organization is small, ask for help if needed. Smaller companies will be affected by GDPR, some more significantly than others. They may not have the resources needed to meet requirements. Outside resources are available to provide advice and technical experts to help them through the process and minimize internal disruption.
Test incident response plans: The GDPR requires that companies report breaches within 72 hours. How well the response teams minimize the damage will directly affect the company’s risk of fines for the breach. Make sure you can adequately report and respond within the time period.
Set up a process for ongoing assessment: You want to ensure that you remain in compliance, and that will require monitoring and continuous improvement. Some companies are considering incentives and penalties to ensure that employees follow the new policies. According to a survey by Veritas Technologies, 47% of respondents will likely add mandatory GDPR policy observances to employee contracts. Twenty-five percent might withhold bonuses or benefits if a GDPR violation occurs, and 34% say they will reward employees for complying with GDPR.
Do all of this with an eye to improving your business: According to a survey by Varonis Systems, 74% of respondents believe that complying with GDPR requirements will be a competitive advantage. Compliance will boost consumer confidence. More importantly, the technical and process improvements necessary to meet GDPR requirements should enable efficiencies in how organizations manage and secure data.