Tomorrow is GDPR deadline day — the day the European Union’s stringent new General Data Protection Regulation takes effect — and experts say most Colorado Springs companies aren’t ready.
If you’re scrambling, you’re not alone.
“Many U.S. and Colorado businesses, even large enterprises, aren’t ready because they don’t plan ahead,” Trevor Dierdorff, Amnet founder and CEO, said in an email. “Instead they operate in a reactionary mode. There is already so much compliance domestically to address.”
The GDPR is the biggest overhaul of Europe’s data security rules in two decades, and companies worldwide will be impacted by a web of rules covering consumer consent, data processing and breach reporting.
When the Ponemon Institute surveyed 1,000 companies in April, half said they won’t be GDPR compliant by the May 25 deadline, or don’t know if they will be. Just 10 percent said they’d be ready before May 25.
By industry, 60 percent of tech companies, 63 percent of financial services firms, 50 percent of health and pharmaceuticals companies and 49 percent of consumer products businesses said they won’t be ready for the new regulations.
Shawn Murray, president and chief academic officer for Murray Security Services, was blunt about the deadline: “Nobody’s going to meet it by the 25th of May. Well — I wouldn’t quite say nobody, but what the industries are doing is they’re looking for somebody like Facebook to take the first [GDPR compliance] assessment and get slapped around, to see what’s going on,” he said. “People are doing things as far as identifying a data protection custodian — they’re doing some of the basic things so they appear to be moving ahead — but there’s so much infrastructure and resources that they’re not familiar with, that they’re waiting to see what other people are doing before they move forward.”
Murray said the EU hasn’t yet issued assessment criteria — and for businesses trying to comply, he said, “that’s the big thing: You give us a framework at a very high level but you don’t tell us how you’re going to assess us when you come in.”
There aren’t obvious answers. The GDPR is complex, and many companies are still struggling to work out whether, or how, its requirements apply to them. Some of those include notifying regulators about data breaches within 72 hours; spelling out what data is being collected, and why; and making users’ personal information available to them for review.
“If you’re in the United States and you’re a small organization, they’re reaching out to lawyers who don’t know, who are referring them to lawyers who think that they know, but they’re not sure — it’s a mess,” Murray said. “It’s a mess.”
As Murray notes, small businesses can indeed be subject to the GDPR. Any company that stores or processes the personal data of EU citizens living in the EU (not EU citizens in the United States) must comply, even if they don’t have a business presence there.
“The mandatory 72-hour GDPR breach-notification period has security professionals at Amnet [concerned] because most businesses aren’t prepared,” Dierdorff said. “The United States doesn’t have a national data-breach notification requirement. However, most states do require notification within 30 to 45 days.”
For American companies that need to comply, the GDPR also shakes up what’s considered private data, and how it’s handled. The EU considers private data to include name, home address, email address, ID numbers, location data, IP addresses and cookie data. “Sensitive” data requires even greater protection and includes racial or ethnic origin, political opinions, religious or philosophical beliefs, processing of genetic data, trade union membership, biometric data, health data and sexual orientation.
Noncompliant businesses may be fined up to 4 percent of worldwide annual turnover or €20 million, whichever is greater.
“Further risk is that the consumers whose data is breached can file class-action suits against them for noncompliance,” Dierdorff said.
Many companies are taking a wait-and-see approach, and expecting to see tech giants tackled first, Murray said.
“[Information security experts are] all waiting for Facebook and Google to get assessed, because Google keeps trying to fight the EU data protection directive and the GDPR transition and they’ve been to court a couple times in the last few months and they keep losing,” he said. “So Google’s got a lot of work to do. So we’re waiting for those big companies to get slapped around a little bit. We don’t think they’re going to put prison sentences on people. But … if they don’t do due diligence and they don’t move forward and the appearance is they’re not taking it seriously — that’s when we expect the EU authorities to actually come back and start assessing fines.”
Learn more about the GDPR and the steps organizations will need to take to prepare their technology in the May 25 edition of the Business Journal.