The General Data Protection Regulation (GDPR) is now being enforced, and 60 percent of affected businesses are not prepared. This is concerning, but I’m not here to spread the fear, uncertainty and doubt (FUD).
GDPR is a good thing. It requires businesses to better protect any personal data of EU citizens that they control or process. Ironically, over the coming months, it’s going to look like companies are doing a worse job at protecting the data, because they’re also required to better understand and monitor data privacy and more diligently report any breaches – which means…
We’ll see a significant increase in reported breaches
Let’s look at what happened in Australia recently – in February, the country enacted the Notifiable Data Breach regulation, which increased requirements around breach notification, and immediately, reported breaches skyrocketed. After there were only 114 breaches reported to the Office of the Australian Information Commissioner in the entire 2017 financial year, there were 63 in the first six weeks after the regulation took effect.
We’ll see a similar surge in reported breaches now that GDPR is enforceable, thanks to its 72-hour breach notification rule. But there’s no need to panic. It won’t mean hackers are suddenly far more successful; it will reflect that businesses are doing a better job understanding and monitoring the data they’re responsible for and being transparent about any breaches – which we desperately need.
This will not only benefit consumers, who are increasingly concerned about their data security – and rightfully so – given the Facebook/Cambridge Analytica data scandal. It will also benefit businesses, which are suffering more serious breaches than ever before, and can reduce the cost of breaches by up to 70 percent by cutting their detection and response time in half.
So, how can a business ensure it’s reporting breaches within 72 hours as required by GDPR?
First, ensure your security incident response plan is updated. Then you need to understand all the data you’re responsible for as well as what risks are associated with it. Start by taking a comprehensive inventory of all the personal data of EU citizens that you collect, store, or process.
Personal data includes the obvious information – name, address, email address – as well as anything than can be used to identify an individual, such as IP address, location data, or even any information specific to the individual’s physical, genetic, mental, economic, cultural, or social identity. It’s intentionally broad; go ahead and document everything.
You should track all this data in a spreadsheet, using the columns to include as much background information as possible: department, system, administrator, data type, where the data is located, who provided the data and why you collected it. Lisa Hawke over at Everlaw has a great tool to help you. Going through Everlaw’s tool with each data set owner will open your eyes to how powerful GDPR is concerning personal data rights.
Once your data inventory is complete as possible (by the way, this is a never-ending process), you need to create a risk register to evaluate the risks associated with each individual’s data set. The risk register should include vulnerabilities and threats associated with the data as well as the likelihood and potential impact.
Referencing this information, discuss with your business, the necessary administrative and technical controls to ensure an appropriate level of security given the risk. You may need to consult third-party experts here. The regulation also mandates that you continue to monitor these risks and the accompanying controls to ensure they’re effective and they reflect any changes in the data or associated threats and vulnerabilities.
Speaking of changes in the data… that brings us to my next prediction.
Companies will receive a ton of “Right to be Forgotten” requests
In addition to strengthening data security, the other primary objective of GDPR is to put EU consumers in control of their own personal data. To that end, it’s adding a few key rules:
- Businesses must obtain consumers’ explicit consent before controlling or processing their personal data
- Consumers can revoke their consent from any company at any time
- Consumers can request to see what information companies have about them, as well as why they have it and how they’re using it
- Consumers can demand that businesses delete their data
Given the fourth point, even more than the surge in reported breaches we’ll see under GDPR, we’ll see a tsunami of “Right to be Forgotten” requests, as individuals or “Data Subjects” capitalize on the new privilege and detach themselves from companies that they perceive have poor data security practices. (Bolder prediction: #DeleteMe will be the next #DeleteFacebook.)
Of course, this means your business needs to be able to delete individuals’ personal data upon request and prove it. You need to establish policies and processes for doing so efficiently, and without creating larger operational or compliance issues. Ignoring the requests gives the individual the opportunity to file a complaint with the Supervisory Authority, who will intervene.
As is the case whenever a business is suspected of violating GDPR, the Supervisory Authority will conduct an analysis to determine whether you breached the rules. If it concludes you did, you’ll face four possible sanctions:
- A fine of up to 4 percent of annual worldwide revenues or 20 million euros (whichever is greater)
- A suspension of data flows to a recipient in third country
- A reprimand
- A ban on processing or controlling the data (temporary or definitive)
These punishments – even with their potential severity – shouldn’t be the only motivating factor for achieving compliance. Instead, keep in mind that compliance will be beneficial in the long run for your company and all customers/partners/suppliers.
This starts with maintaining a better understanding of the personal data you’re responsible for as well as the risks associated with it and making sure you can respond to #DeleteMe.