The European Union’s General Data Protection Regulation (GDPR) goes into effect in just two months. Designed to ensure that organizations protect the personally identifiable information of individuals, this new set of rules is the most important data privacy change in two decades, according to the EU’s own GDPR web portal. While much of the responsibility for adherence falls to compliance and information security professionals, IT leaders must also understand the impact of GDPR – not only the requirements and risks associated with non-compliance, but also the resulting changes in data collection and governance.
Want a brief education? These eight key facts about GDPR will get you up to speed ahead of its May 25 enforcement date.
1. GDPR is the one of the largest – and potentially most punitive – privacy laws ever
GDPR consolidates the many existing EU data laws into a single mandate and establishes significant fine structures to companies that are not compliant. Companies can be fined €20 million or 4 percent of worldwide annual revenue, whichever is greater, for infringements of GDPR basic principles for data processing, or the data rights of EU citizens. “[CIOs] are under the gun to live and breathe the fine details of this new regulation,” says Jason Hoenich, co-founder of cybersecurity awareness company Habitu8. “They need to become very intimate with how their systems collect, store, transfer, and delete sensitive data.”
2. GDPR regulations (almost certainly) apply to your organization
The GDPR applies to any organizations that offer goods or services to or that monitor the behavior of EU citizens. If you merely have a website that markets your product or services or collects visitor information, you may be subject to these new rules. In fact, a financial transaction doesn’t have to occur for GDPR to take effect. As attorneys from Jackson Lewis recently noted in the firm’s Workplace Privacy, Data Management & Security Report: “If your company is engaged in monitoring the behavior of EU residents (e.g., tracking and collecting information about EU users to predict their online behavior), the GDPR likely will apply.”
3. GDPR compliance will require cross-functional collaboration
In order to adhere to GDPR requirements, companies must figure out all the ways they gather and store the personally identifiable information of EU citizens, says Eric Simonson, managing partner with management consultancy Everest Group. That will demand close collaboration among people in all parts of the organization, from IT to sales and marketing to finance. GDPR also requires any organization that regularly processes sensitive information from the EU to appoint a Data Protection Officer to ensure compliance. While that role will likely fall under the Governance, Risk, & Compliance function, according to Hoenich, smart CIOs will partner with their new DPOs going forward.
[ What's a DPO? See our related article, GDPR confusion: IT puzzled over data protection officer role. ]
4. GDPR can be a powerful lever for improving data quality
Gartner has estimated the average financial impact of “bad data” on an organization at $9.7 million per year. To the extent that conforming to the new EU rules encourages companies and their IT leaders to re-examine and purge their data stores, it could result in increased efficiencies and better decision-making overall. “Article 32 of GDPR requires organizations to be more structured and formal in their protection of personal information,” says Karen Schuler, consulting partner and national information governance practice leader with BDO USA. “Companies preparing for GDPR should think beyond penalty avoidance to use GDPR as a springboard to drive compliance and CIOs should drive resource allocation to reap the ‘silver lining’ benefits. CIOs will enable business executives to find the needle in the haystack, faster and more cost-effectively – resulting in making decisions on current-day information versus outdated information.”