May 25 is GDPR deadline day — the day the European Union’s stringent new General Data Protection Regulation takes effect — and experts say most Colorado Springs companies aren’t ready. If you’re scrambling, you’re not alone.
“Many U.S. and Colorado businesses, even large enterprises, aren’t ready because they don’t plan ahead,” Trevor Dierdorff, Amnet founder and CEO, said in an email. “Instead they operate in a reactionary mode. There is already so much compliance domestically to address.”
The GDPR is the biggest overhaul of Europe’s data security rules in two decades, and companies worldwide will be impacted by a web of rules covering consumer consent, data processing and breach reporting.
When the Ponemon Institute surveyed 1,000 companies in April, half said they won’t be GDPR compliant by May 25, or don’t know if they will be. By industry, 60 percent of tech companies, 63 percent of financial services firms and 50 percent of health and pharmaceuticals companies said they won’t be ready.
Shawn Murray, president and chief academic officer for Murray Security Services, was blunt about the deadline: “Nobody’s going to meet it by the 25th of May. Well — I wouldn’t quite say nobody, but what the industries are doing is they’re looking for somebody like Facebook to take the first [GDPR compliance] assessment and get slapped around, to see what’s going on,” he said. “People are doing things as far as identifying a data protection custodian — they’re doing some of the basic things so they appear to be moving ahead — but there’s so much infrastructure and resources that they’re not familiar with, that they’re waiting to see what other people are doing before they move forward. And they’re reaching out to other organizations to see what other people’s approaches are as well.”
Murray said the EU hasn’t yet issued assessment criteria, and for businesses trying to comply, he said, “that’s the big thing: You give us a framework at a very high level but you don’t tell us how you’re going to assess us when you come in.”
There aren’t obvious answers. The GDPR is complex, and many companies are still struggling to work out whether, or how, its requirements apply to them. Some of those include notifying regulators about data breaches within 72 hours; spelling out what data is being collected, and why; and making users’ personal information available to them for review.
“If you’re in the United States and you’re a small organization, they’re reaching out to lawyers who don’t know, who are referring them to lawyers who think that they know, but they’re not sure — it’s a mess,” Murray said. “It’s a mess.”
As Murray notes, small businesses can indeed be subject to the GDPR. Any company that stores or processes the personal data of EU citizens living in the EU (not EU citizens in the United States) must comply, even if they don’t have a business presence there.
“The mandatory 72-hour GDPR breach-notification period has security professionals at Amnet [concerned] because most businesses aren’t prepared,” Dierdorff said. “The United States doesn’t have a national data-breach notification requirement. However, most states do require notification within 30 to 45 days. Colorado’s requirement is less specific…”
For American companies that need to comply, the GDPR also shakes up what’s considered private data, and how it’s handled. The EU considers private data to include name, home address, email address, ID numbers, location data, IP addresses and cookie data. “Sensitive” data requires even greater protection and includes racial or ethnic origin, political opinions, religious or philosophical beliefs, processing of genetic data, trade union membership, biometric data, health data and sexual orientation.
Noncompliant businesses may be fined up to 4 percent of worldwide annual turnover or €20 million, whichever is greater.
“Further risk is that the consumers whose data is breached can file class-action suits against them for noncompliance,” Dierdorff said.
Many companies are taking a wait-and-see approach, and expecting to see tech giants tackled first, Murray said.
“We’re all waiting for Facebook and Google to get assessed, because Google keeps trying to fight the EU data protection directive and the GDPR transition and they’ve been to court a couple times in the last few months and they keep losing,” he said. “So Google’s got a lot of work to do. So we’re waiting for those big companies to get slapped around a little bit. We don’t think they’re going to put prison sentences on people. But … if they don’t do due diligence and they don’t move forward and the appearance is they’re not taking it seriously — that’s when we expect the EU authorities to actually come back and start assessing fines.”
Dierdorff said European regulators are likely to impose the large fines to make an example of non-compliant organizations, particularly early on.
“This is much like the U.S. Health and Human Services/Office of Civil Rights does with their ‘Wall of Shame’ and HIPAA breaches of protected health information (PHI),” he said. “It is unclear how aggressively they’ll pursue U.S. companies as the EU’s jurisdiction outside of the EU could be brought into question.”
Businesses that really aren’t ready, Murray said, should start with the basics: “What information on European citizens do you collect? How do you collect it? How do you process it? How do you transmit it? And then how are you protecting it?”
They also need to understand what their vendors are doing, he said. Details regarding incident response, data management, data availability and sanitization procedures should be well defined in vendor agreements.
But don’t panic and hire the first company that scares you. “There’s a lot of non-reputable companies out there trying to make a buck at it…” Murray said. “People are spending money and they don’t necessarily know what they’re getting.”
Dierdorff offered steps for organizations to prepare their technology for the GDPR.
Inventory personally identifiable information. Where is it stored? Is it on your local servers or in the cloud? If it’s hosted in the cloud, determine in what geographical locations it’s housed.
Perform a gap analysis. Understand whether your technology and other resources are operating effectively. Your technology solution provider can then create an action plan to fill in the gaps. The right TSP will understand the GDPR regulations and how your IT must support your compliance efforts.
Develop an action plan. Your TSP should document a detailed action plan for how to use technology to meet the GDPR if you experience a data breach. This should include individuals’ roles and responsibilities. Conduct tabletop exercises to practice how the plan will work with specific timelines and milestones.
Ensure data privacy. If you don’t have a TSP, you need one for this. Data protection is key for any sized organization. Consumers have the right to have their data erased if they want. This is called “the right to be forgotten.” This concept was put into practice in the European Union in 2006, and it’s a part of the GDPR. You won’t be able to erase consumers’ data if it is stolen.
Document and monitor everything done related to GDPR compliance. This includes any changes or upgrades that your TSP makes to your IT environment. You may need to demonstrate that you’ve done your due diligence when it comes to protecting citizens’ private information and that you practice “defense-in-depth” strategies where you use multiple layers of security controls when it comes to your technology.
“Smaller businesses with no presence in Europe may not need to be concerned with GDPR compliance,” Dierdorff added. “However, an increased focus on cybersecurity is a must regardless of your size. Breaches of your business data can be devastating. Most small and mid-sized businesses in our region are more vulnerable than they realize.”