From insular US firms to spammy marketers: Who will GDPR hit the hardest?
Data Privacy and Security

From insular US firms to spammy marketers: Who will GDPR hit the hardest?

The EU General Data Protection Regulation (GDPR) came into effect at the end of last year and will be enforced from 25th May 2018. This stipulates that EU citizens’ data must comply with regulations – or negligent organisations can be fined up to to €20 million ($23 million) or 4% of their global revenue (whichever is greater).

The basic principles state EU citizens now have to provide ‘explicit consent’ for companies to store their data, they have a ‘right to be forgotten’ and organisations have an obligation to show where this data is stored. Businesses must also report a breach within 72 hours of it happening – which is no mean feat when the majority still do not know when these have taken place.

In essence this law makes any business that deals with European citizens’ data, fully and unequivocally accountable, with severe cash penalties. Most EU regulations are pretty light, fluffy and advisory but this one is quite categorical. Yet as it is new there are still a few grey areas surrounding how exactly it might work in practice.

Panic has begun to set in and over the last year the studies have begun coming in thick and fast about how unprepared businesses are – like this one by Symantec [PDF]. Yet hype headlines aside it is clear there is a growing awareness about the regulation within Europe even if the same is not true of international organisations headquartered in the US and Asia. It is also clear that while all businesses are likely to be impacted one way or another some industries will take a greater hit than others.

So, to get some clear feedback from in amongst the white noise on the subject I popped out four general questions to 25 different experts in the field. Below is a very short summary of their aggregated answers across each of the questions. While some of the more interesting verbatim comments – organised by question – can be found listed though the bulk of the report.

Overview

Which industries will be hit the hardest by GDPR – will any be decimated by this?

General consensus has it that no industries will actually be decimated by this regulation. However it will impact any companies which hold EU citizens’ data. A number of different industries were called out at particular risk, including financial services, telcos, retail and government. Smaller businesses might also find it particularly difficult to comply with regulations.

How prepared are international businesses headquartered in the US or Asia?

There appears to be some disagreement about how ready companies based outside Europe are for this regulation. Some argue that Safe Harbor and Privacy Shield have paved the road to awareness amongst US firms but many others believe that the US – and others around the world – are still completely oblivious.

Are there any areas which will prove particularly hard to prepare for?

The main issue here appears to be fragmented data that is hard for companies to properly audit. If organisations do not have a proper handle on exactly where their data is stored and duplicated it will be impossible for them to comply with the rules. There is also some debate about what particular terminology – like ‘explicit consent’ to share data – might mean in practice.

Is there anything else to add on the subject?

This is not just a legal or a data issue, it also covers the cultural mindset within organisations. It is equally important to remember that this is not the only piece of piece legislation out there. GDPR will also interact with other specific local laws like the UK Investigatory Powers Act, the EU Information Systems (NIS) Directive and US Privacy Shield law.

 

In-depth comments

 

Which industries will be hit the hardest by GDPR – will any be decimated by this?

Firms which have pushed the boundaries

“Decimated is a strong term but I would say that firms who have until now pushed the boundaries of what they do with this data without active consent, and who rely on those activities for their core business, will be very adversely affected. Everyone else needs to take a view on how exposed they might be. We see financial services and life sciences/healthcare industries being the most exposed because of the amount of personal data they keep, and the long retention times associated with that information.”
Rafael Bloom, Business Development Director at Arkivum

The first negligent company could be made an example of

“GDPR won’t necessarily decimate entire industries, but it could really damage the first company that falls foul of the rules. The first breach will set the GDPR tone, and if the company in question is running a tight margin line, they could really suffer. The associated fines plus the cost of infrastructural, technological and personnel changes could prove too great – and their demise will undoubtedly spur every other industry into action.”
Jason Allaway, Area Vice President UK&I, at RES

Financial services, telcos, retail and government

“Any industry that involves holding personal information relating to citizens of the European Union (EU) will be affected. This typically means financial services, telecommunications, retail and government are the most at risk from fines that have the capacity to cripple profits and balance sheets. No-one is immune. Whilst no one industry will be crippled by the law, it is perfectly feasible that a large company could be heavily fined should they be in violation of GDPR. For example, the recent UK Tesco breach could have potentially involved a fine of about £1.9B [$2.41B] under GDPR.”
Spencer Young, RVP, EMEA at Imperva

The call centre industry

“The call centre industry, or companies with outsourced call centres outside the EU, will still need to address their databases and seek consent from individuals inside the EU, regardless of the Telephone Preference Service (TPS). Without consent these databases will undoubtedly diminish and companies will be hit significantly.”
Keith Dewar, Group Marketing & Product Director at MyLife Digital

Publishing and advertising

“Data driven digital businesses like publishing and advertising will face new challenges and opportunities in meeting GDPR particularly around breach notification and ‘privacy by design’.”
Rashmi Knowles, Chief Security Architect EMEA at RSA

SMEs

“The upcoming GDPR will be especially demanding for SMEs that aim to collect large amounts of personal data for disruptive applications. For instance, GDPR requires that a data protection impact assessment should be carried out prior to processing personal data. GDPR provides some leeway to SMEs in terms of assigning a data protection officer, or in their record keeping activities. However, this holds true only if the processing is not likely to result in a risk to the rights and freedoms of the data subjects, or the processing is not the core activity of the business.


“GDPR demands that consumers should be able to review when their personal data is collected and how it is used, and be able to give or withdraw consent. With such a diverse range of data being collected in different ways via a broad range of IoT devices, consent becomes a complicated and lengthy process. It gets even more complicated when you consider personal data collected as collateral, such as a security camera filming in a public place. How do you give passers-by the right to control their data when they don’t know it has been collected? This is just one of the many issues posed by IoT devices in the context of GDPR.”
Cigdem Sengul, Senior Researcher at Nominet R&D

Marketing 

“The department that will be hit the hardest, and probably hasn’t started planning, is marketing. GDPR’s clearer rules around opt-in, data handling, automatic deletion and using data only for what it was gathered for will catch many marketing teams out.”
Nigel Hawthorn, Chief European Spokesperson at Skyhigh Networks

Industries rife with M&As

“In general, any industry that has seen multiple mergers and acquisitions and is very much customer facing (in other words Business to Consumer rather than Business to Business) is likely to be hit hard by GDPR. Telecoms is one such example: The industry has seen multiple M&As and consolidation towards a small number of big players, which has resulted in complex IT and processes where different departments have little oversight or control over other departments. Telecoms firms often also have dissatisfied and irate ex-customers, so it is entirely conceivable that a number of these angry ex-customers join forces to make regulatory requests which these companies cannot fulfil in the specified timeframes, therefore they become the target of lawsuits.”
Christy Haragan, Principal Sales Engineer at MarkLogic

Industries built around large customer bases

“Industries which are built around large customer bases, such as financial services, insurance companies, telecoms, energy, and health care providers are particularly vulnerable and will need to ensure they have the highest level of security precautions in place. The large number of cloud-based data storage and processing providers that have appeared in recent years will also need to be aware of their potential liability.”
Rui Melo Biscaia, Director of Product Management at Watchful Software

Startups and fintechs

“There also needs to be an understanding of how the startup and fintechs will impact and be impacted by GDPR. Quite a lot of startups use data explorations and data monetisation of customer data and customer journeys. The issues of data security and data privacy need to be thought of more carefully for these start-ups in this space.”
Graham Hunt, Senior Manager of Insights & Data Practice at Capgemini

The end of list sellers

“Hopefully, businesses trying to sell contact lists will become redundant, but the firms hit hardest will be the ones that are yet to start preparing. Financial services firms, public sector organisations and service providers are already aware of the requirements to inform authorities and users of data loss. Yet, those organisations operating with industries that aren’t heavily as regulated need to realise that similar requirements are coming their way.”
Nigel Hawthorn, Chief European Spokesperson at Skyhigh Networks

Data controllers and processors

“The cost of doing business for data controllers and processors however will initially rise.  Organisations that offer services for data processing are either expected to initially accept these costs, pass initial costs onto the controller or attempt to pass them onto the consumer.”
Neil Thacker, Deputy CISO of Forcepoint

Some SMEs may go out of business

“Due to the steep fines of GDPR it is expected that SMEs will be especially hit by GDPR, which could possibly be put out of business if they ever fail to meet the requirements and face financial penalty.”
Ryan Kalember, SVP, Cybersecurity Strategy at Proofpoint

Extended supply chains

“The ruling could have a negative effect on sectors like e-commerce, or manufacturing with extended supply chains, where a company accesses data sets from multiple partners to get its work done.

“Decimated is a strong word, but I am sure there will be companies who will be hurt by this regulation. Just by looking at recent breaches, many companies could suffer significant penalties that will impact their ability to grow or operate and more importantly, affect their reputations.”
Marc Sollars, CTO at Teneo

The hotel sector

“Hotels will be one of the sectors most affected by this legislation. The reasons are fairly obvious; major hotels groups in particular accommodate tens of thousands of European citizens in their hotels every night, in locations all over the world. These hotels make it their business to gather huge amounts of data on their guests in order to improve the customer experience and in doing so increase brand loyalty. The industry now has a responsibility to protect the guests’ data, no matter where the hotel is located.

“Only in the very largest corporate hotel groups is there much evidence that they are taking GDPR seriously.  Awareness is negligible and most non-European companies simply do not think it applies to them.”
Geoff Milton, Security Strategist at ShieldQ

Financial services, third party providers and cloud providers

“Every industry will be impacted by GDPR, but if I had to pick the three that will be most impacted, I’d say financial services, third party providers and cloud providers.”
Sheila FitzPatrick, Worldwide Legal Data Governance & Data Privacy Counsel/Chief Privacy Officer at NetApp

Companies that rely on remote workers

“Companies that rely heavily on bring your own device (BYOD) practices or that have a significant amount of remote workers are, again, arguably more at risk of falling foul of the GDPR. This is down to the fact that it’s often harder for IT to monitor and lock down devices beyond the corporate network. In this instance it’s vital for companies to have an endpoint monitoring, protection and recovery solution in place to significantly mitigate damage in the event of a data breach.”
Nic Scott, Managing Director UK&I at Code42

 

How prepared are international businesses headquartered in the US or Asia?

Larger US organisations have it on their radar

“Larger global organisations certainly in the US have GDPR on their radar. Perhaps not so for other parts of the world.  Again, the new definitions of data may catch organisations out in meeting compliance.”
Rashmi Knowles, Chief Security Architect EMEA at RSA

Europe is more equipped

“In Europe, where there is generally a corporate and social culture which favours privacy, the levels of preparation are relatively high – for many, the data collection protocols are already in place, and some companies already have a Data Protection Officer. Asia is slightly further behind, but many companies have now begun their implementation process.

“In the US, there is a more US-centric response to GDPR, with many companies relying on Privacy Shield for their compliance template – this presents a huge challenge as being compliant with Privacy Shield does not automatically make a business compliant with GDPR. On top of this, many technology providers are jumping on the bandwagon of preparing for GDPR, by offering tools and technology to help companies prepare. However, this is like building a house from the second story. Instead, companies in the US need to take that a step back and look at their data protection compliance foundation, including their privacy policies, consents, registrations, etc., before they consider investing in any new technologies and solutions to help them achieve compliance.”
Sheila FitzPatrick, Worldwide Legal Data Governance & Data Privacy Counsel/Chief Privacy Officer at NetApp

Germany leads the way

“From an awareness perspective, Germany is sitting at the leading edge along with various European IMO organisations, with US businesses currently falling behind the curve. Despite financial institutions being regulation-savvier, the levels of readiness across all sectors are generally very low. GDPR will be particularly difficult for enterprises harvesting their information through third parties on the internet, as they will have to trust their data supply chain implicitly, in addition to companies using information drawn from loyalty and credit cards.”
Steve Neat, VP EMEA at Collibra

Awareness low in US and Asia

“While many companies within the EU itself are still trying to determine how to comply with the new law, awareness is extremely low in the US and Asia. We have found that many senior managers in US-headquartered international financial companies have never even heard of the GDPR.”
Rui Melo Biscaia, Director of Product Management at Watchful Software

EMEA companies have been slow to acknowledge

“EMEA companies have been slow to acknowledge it – the majority of businesses headquartered in Asia or the US are totally unaware of GDPR. Overall awareness is incredibility low, even in light of all recent data thefts e.g. Talk, Talk, Tesco Bank.”
Adam Sharp, MD & Co-founder of CleverTouch

US may be better prepared than EU

“Some research has shown that US organisations may even be better prepared for GDPR than EU organisations. Initiatives such as the Data Privacy Shield (a joint EU/US privacy initiative) mean that some US organisations already have privacy regulation on their radars but there are plenty of other US organisations who will be treating this regulation with low priority. And, there is little research to suggest that GDPR is making huge inroads in Asia.”
Christy Haragan, Principal Sales Engineer at MarkLogic

Woefully unprepared everywhere

“In my experience, most companies within and outside the EU are woefully unprepared for GDPR enforcement. Most organisations do not understand that GDPR law is already active, but it will not be enforced until 2018. Whilst the approach was designed to give organisations time to prepare and amend their internal processes and make the required investments in people and technology, to date, this has largely been ignored.

“I’ve routinely met executives in large institutions outside of the EU who wrongly believe that because they do not have a European presence or data centre they are immune from complying to GDPR. This is simply not the case, as the law covers any company who holds data relating to an EU citizen.”
Spencer Young, RVP, EMEA at Imperva

US and Asian firms unaware

“The significance of GDPR hasn’t hit the radar of most international businesses headquartered in the US or Asia. For companies based outside of the Europe, there is definitely a lack of education and awareness in regards to the implications and requirements. GDPR is currently viewed as a European initiative. This is dangerous – companies based outside of Europe still need to play by the rules if they wish to continue trading within the EU.

“These companies have 18 months to change their policy processes and data structures. Many of them will struggle in this time frame and they need to acknowledge now rather than later that this isn’t an EU issue, but a global one.”
Jason Allaway, Area Vice President, UK&I at RES

There has been a gradual mindset change especially in North America

“In 2015, it was virtually impossible to get businesses outside the EU to be interested in GDPR.  However, we have seen a change in mind-set, particularly in multi-national businesses headquartered in North America. The confusion around the US/EU Data Privacy Shield and data transfers is probably one of the largest areas of discussion.”
Nigel Hawthorn, Chief European Spokesperson at Skyhigh Networks

A global view of data governance can be tricky for SMEs

“Large enterprises are becoming prepared outside of the EU whilst awareness, especially in the US and Asia markets, is increasing.  A global view of data protection laws is a requirement for large enterprise with governance, risk and compliance teams becoming well versed in understanding current and proposed changes. The issue lies however with some small and medium enterprises who are waiting for further information from the supervisory authorities for countries that they operate or control/process data from.  A view that is common from small and medium enterprises is that other than the publication of the GDPR, little has been done to prepare these organisations outside of the EU for these changes.  A technical trend observed is that organisations across the globe are investing in data protection technologies and extending their technical policies to focus on data protection through the use of encryption, pseudonymisation and DLP (Data Loss Prevention).”
Neil Thacker, Deputy CISO of Forcepoint

A mishmash of legislation clouds the picture

“Companies in Asia-Pacific Economic Cooperation (APEC) currently volunteer to the Cross Border Privacy Rules system (CBPR). This is a voluntary, accountability-based system to facilitate respect of privacy during data flows among APEC economies. A Joint Oversight Panel (JOP) administers the APEC CBPR system, assisted by the CBPR Secretariat. Decisions about an organisation's eligibility to be an Accountability Agent are made by APEC economies.

“However, the transfer of personal data between EU and APEC needs to involve Accountability Agents in other countries, such as the US or Japan, to verify that the organisation complies with CBPR, usually via the completion of a questionnaire.

“There is a move to align cross border data transfer rules, which would be a watershed moment, but until then companies need to overcome the complexities of the various global privacy policies and rules such as GDPR and Privacy Shield.

“GDPR includes the establishment of the European Data Protection Board (EDPB) — an EU body with its own legal personality. The EDPB will be responsible for bringing a coherent approach to cross-border dispute resolution.

“The APEC economy seem to be aware of GDPR, but whether company stakeholders are acting upon it is another matter. US companies appear more concerned with the Privacy Shield and what will happen under a Trump government.”
Keith Dewar, Group Marketing & Product Director at MyLife Digital

 

Are there any areas which will prove particularly hard to prepare for?

‘The right to erasure’

“‘The right to erasure’ is harder than people think, because most data is held in several systems. Further, ‘the right to know’, a bit like the freedom of information act, grants people the right to request and view what data is held on them. It will be particularly difficult for organisations to prepare for ‘the right to know’, and they will require significant support from customer compliance officers.”
Adam Sharp, MD & Co-founder of CleverTouch

Data discovery and recording data flows

“Data discovery and recording of the data flows is probably the biggest part of the job, especially in complex organisations where they have legacy systems and a variety of interfaces where they are capturing information.

“One area that will cause lots of challenges is data portability and the ‘right to be forgotten’ - the ability for someone to ask for their information to be removed or transferred relies on it being on a commonly used format. So some of the legacy information and systems we see needs to be reviewed to ensure it can happen within the timescales. Remember this goes across all media forms, whether it’s voice, data, images, and so on.

“Last but not least is incident response. The ability to notify within the new 72-hour window (set out by GDPR replacing the current non-mandated system of breach notification) will present real challenges, so legal counsel may be required. And, when incidents do occur, they don’t always happen between 9am and 5pm when people are in the office, which may cause problems for some.”
Mark Taylor, Managing Consultant at NTT Security

Cloud-based storage raises questions over data sovereignty

“Cloud-based data storage brings about questions over data sovereignty – there needs to be proper control over the jurisdiction in which data is stored. Off-the-shelf cloud products may not give the guarantees one would ideally like, and this could generate costly issues in the years to come.”
Rafael Bloom, Business Development Director at Arkivum

Data portability

“Data portability will prove to be extremely tricky. This states that a citizen may request full details in a computer readable format of all the personal data an organisation has about them. This means an organisation has to know not only which of its systems contain personal data, but precisely to whom this personal data relates. Given the very broad definition of personal data and the large number of data systems that an enterprise typically has, this will be a tough order. And taking it a step further, a citizen will also have the right to ask exactly how the organisation is using their personal data, who they are sharing it with and why: this will be particularly hard to prepare for as it means organisations will have to document their data flows and understand data lineage and provenance, along with business processes as well as all third party interactions.”
Christy Haragan Christy is Principal Sales Engineer at MarkLogic

Dark data

“Dark data will prove the biggest challenge for most businesses according to Veritas’ 2016 Databerg Report. On average 54% of the data held by organisations in Europe is considered 'dark data', operational data that isn’t being used by an organisation. Why is this hard to prepare for? If organisations don’t understand the nature of their data, how can they take the necessary action to secure it?”
Alex Guillen, Go to Market Marketing Manager at Insight UK

Joint accountability for data breaches

“One of the biggest challenges under the new law is that enterprises will share joint accountability for any personal data breaches with third party vendors that work on their behalf to control or analyse data. This means that if an organisation outsources data entry or analysis to a third party, or processes data on behalf of another organisation, they will be liable for any data breaches they suffer. File level encryption is one of the most effective ways measures for dealing with this additional risk, as it ensures that all sensitive data is classified and protected against unauthorised access, regardless of where it is. Investing in the ability to remotely kill file access will also help companies to protect files if any issues arise with third parties.

“Finally, organisations will be responsible for mandatory data breach notification and information governance, as well as being required to actively track how and where data is stored and used through the supply chain.  This means adopting risk management tools and building security privacy into operations by design, including ensuring they are able to provide a complete audit trail documenting all data activity.

“The ability to automatically classify and protect all personally identifiably information (PII) on the network as soon as it is created will be an essential part of this process.”
Rui Melo Biscaia, Director of Product Management at Watchful Software

Finding and indexing data

“GDPR introduces a number of elements that will present a challenge. But in my view, finding and indexing data will prove the most difficult for companies. Under GDPR, businesses will have to comply with information requests from customers who will have the right to an overview of the data being held on them.

“This sounds simple – but for 90 per cent of companies, it will be an extremely difficult promise to fulfil. How will organisations that have never indexed their data before provide personalised data overviews in thirty days? It’s already assumed that an additional 75,000 data protection officers will be needed around the world when GDPR is rolled out and hundreds more on top of this will be needed to simply process these requests.

“This is such a challenge that GDPR could become the next PPI. Organisations do not currently have the manpower, technology and historical overview of data to service every customer request. If a company fails to provide this information from the moment GDPR comes into force, they will be in breach of the regulation, fines will ensue and a downward spiral will form.  Companies have only 18 months to be in a position to react to data requests in just 30 days. It’s a huge ask and they need to begin to prepare now.”
Jason Allaway, Area Vice President UK&I, at RES

Third parties

“Third parties may be an organisation’s weak link. It’s no good having all the relevant processes and advanced cyber security, if you freely share data with outsourcers, third parties, and across the cloud without ensuring data recipients have the same measures in place. You are responsible if your third parties lose data, so it’s imperative for you to ensure that they are as safe as you are.”
Nigel Hawthorn, Chief European Spokesperson at Skyhigh Networks

Copies of data required for testing

“As part of the development cycle, enterprises rely on copies of production data to use for testing. Businesses will need to pseudonimise this data as it is copied from a production to a non-production environment to comply with GDPR. This is probably the biggest challenge facing business, yet it offers the potential for substantial ROI as well as ensuring compliance.”
Christopher Glynn, Senior Consultant at ECS

‘Consent’ and ‘legitimate interest’

“A couple of areas which I think will prove difficult to prepare for are what is known as ‘consent’ and ‘legitimate interest’. These are two grounds for justifying the processing of personal data under GDPR that remain unclear.

“‘Consent’ is defined by GDPR as any freely given, specific, informed and unambiguous indication of wishes by which the data subject signifies agreement to their personal data being processed. This raises a number of questions; how explicit will consent need to be, will it have to be a positive action, and how can businesses engage with the consumer to source this consent?

“The ‘legitimate interest’ condition provides grounds to process personal data in a situation where a business needs to do so for the purpose of its own legitimate interests or the legitimate interests of the third party to whom the information is disclosed. Determining the existence of a legitimate interest requires an assessment of whether a data subject can reasonably expect at the time, and in the context of the collection of the personal data, that processing for that purpose may take place. The question here is: how far can the ‘legitimate interest’ extend?

“With the current ambiguity around these two areas, businesses will struggle to prepare appropriately ahead of GDPR implementation. This unpreparedness could have a significant effect on businesses as they risk a breach come 2018.”
Andrew Bridges, Data Quality and Governance Manager at REaD Group

Unstructured data

“Unstructured data held on company networks (e.g. customer details, images and social media interactions) will arguably be the GDPR’s biggest impact, since organisations will become directly liable for managing this on their networks and in the cloud. For example, if a company’s employees regularly use cloud apps like OneDrive, Box and Netsuite, IT professionals have to ask themselves where the data is exactly and who owns it after it leaves the office. It’s not an easy question as data is increasing held on cloud apps that aren’t in the data centre.”
Marc Sollars, CTO at Teneo

The Investigatory Powers Act in the UK

“The UK government has made things quite difficult for organisations by recently introducing the Investigatory Powers Act. The new surveillance law is counter to the spirit of the EU GDPR, which attempts to prevent the indiscriminate collection of data on individuals. For an organisation to be in compliance with both the Investigatory Powers Act and EU GDPR, it will have to notify subscribers of the type of data being collected and its intended purpose. It will also have to make that data available in a machine-readable format. The biggest conflict with EU GDPR is that a user cannot make a request based on the ‘right to erasure’ for data younger than 12 months.”
Richard Stiennon, Chief Strategy Officer at Blancco Technology Group

The ‘right to be forgotten’ and erasure

“The most difficult parts of the GDPR to achieve will be the ‘right to be forgotten’ and the ‘right to erasure’ – at the moment, it’s unclear if historical data will be covered by the new legislation. In many cases, companies have this information on third party solutions, so the third party supporting the environment may also have a copy of the data – and it will be a challenge to ensure that this becomes compliant.

“Transparency and unambiguous consent will also be a challenge. As GDPR removes the ability for companies to make consent a condition of the contract, it will prove challenging for companies to change their mind set and present customers with a business proposition that makes people want to give consent rather than feel obliged to do so. It comes back to transparency – if there is a benefit to the individual who is sharing their information, they will be happy to share it. And if you can’t show what you’re doing with someone’s data, and why they should give it to you, you probably shouldn’t have access to it in the first place.”
Sheila FitzPatrick, Worldwide Legal Data Governance & Data Privacy Counsel/Chief Privacy Officer at NetApp

Uncertainty in knowing what the law means

“Because the legislation is new, companies face the uncertainty of not knowing how the regulations will be interpreted or enforced.  

“The consequence of this is that many companies have little choice but to go to extraordinary lengths to understand and map out their data flows, build new processes and distract their staff from productive activity even where data processing is an ancillary activity for them.  This means incurring significant costs without demonstrable returns, which is particularly painful for non-consumer facing businesses at a time when budgets are under increasing pressure.”
Killian Faughnan, Group CISO/CIRO & Governance at Interoute

‘Privacy by design’, ‘access rights’ and ‘breach notification’

“One of the changes due to be implemented in GDPR is the explicit recognition of the concepts of ‘privacy by design’ or ‘privacy by default’.  Businesses will now find themselves subject to a specific obligation to consider data privacy at the initial design stages of a project as well as throughout the lifecycle of the relevant data processing.  Overlay the current privacy requirements in individual countries and you have a whole new box of worms.

“Under GDPR individuals will have the right to obtain confirmation that their data is being processed and have access to their data. GDPR clarifies that the reason for allowing individuals to access their personal data is so that they can verify the lawfulness of processing.  This in itself will pose huge challenges for organisations with the whole process of giving access to data subject and providing proof of legitimate processing.

“This will incur the highest fines stipulated in any legislation.  Organisations are notoriously bad at detecting breaches and the average, only 20%, are detected by organisations themselves, the rest are notified by third parties.”
Rashmi Knowles, Chief Security Architect EMEA at RSA

Changing employee mindset

“The necessary IT infrastructure to comply with this new regulation can be implemented rather swiftly when compared to the efforts required to change company policies and employee behaviour towards security. As it is quite common for employees to save their data on a USB drive and carry it home, it is also quite common to have said drives and all the data contained lost at a dry cleaner’s – in the UK, approximately 22,000 each year, according to a recent Eset study.

“The use of an encrypted drive is not a herculean task: no technical knowledge is required by the person using it. Complexity lies rather in developing awareness around the protection of sensitive data, and putting it into practice throughout the organisation.”
Valentina Vitolo, Flash Business Manager at Kingston Technology

 

Is there anything else to add on the subject?

Businesses need to take a full data audit

“One of the first steps businesses can take is to conduct a full audit of their data - identifying and classifying the various types of data, determining how long each data type can be kept for and implementing a rigorous enforcement process for ensuring data is both managed properly and removed when the scenario demands for it (i.e. customers demand their ‘right to be forgotten’ or regulation demands it). 

“Another important step will be to bring on a Data Protection Officer, who is responsible for creating the infrastructure of processes and policies for compliance.”
Richard Stiennon, Chief Strategy Officer at Blancco Technology Group

Automation can make it easier

“In [the] B2B world, or high luxury brands where Marketing Automation exists (and to some degree in CMS’s too) - a preference centre will go a long way to solve the pain. Smart B2B companies e.g. Eaton, VMware and Deloitte are using the preference centre and subscription centre’s to comply with GDPR.”
Adam Sharp, MD & Co-founder of CleverTouch

Allocation of responsibility is crucial

“The GDPR requires businesses to report data breaches to the relevant Data Protection Authority within 72 hours of detection – an extremely short period of time. The key to meeting this deadline is a decisive allocation of responsibilities, and clear lines of communication. In practice, the person most likely to discover the breach (usually an IT technician), the person to whom it should be reported (usually a member of the legal team), and the person who will make strategic decisions (usually a manager or board member) rarely interact in their ordinary duties. Consequently, it is essential for businesses to ensure that these individuals are used to working together and that they each understand their respective roles and responsibilities, in order to meet this 72-hour deadline.”
Dr. Detlev Gabel, Partner at White & Case

It’s important to remember other data privacy laws

“While it is vital for companies to make sure that they are GDPR compliant, they do need to keep up to speed on other data protection laws that have the potential to impact them - such as the Network and Information Systems (NIS) Directive. The NIS of particular relevance for energy, transport, financial services, healthcare and essential digital services providers including online marketplace, online search engine or cloud computing services. 

“The NIS Directive is designed to support and facilitate strategic cooperation between EU member states, including the exchange of information - in many ways it can be viewed as a compliment to the GDPR. The NIS is an EU directive, rather than a regulation like the GDPR, so it has to be enshrined into law by each individual country. It’s, therefore, theoretically possible for a post-Brexit UK government to not implement it. However, in practice, the NIS is on the current government’s legislative timetable and the basic principles that it contains will probably emerge in the UK as The Cybersecurity Act in 2017 or 2018.

“Businesses also need to remain mindful of the United State’s Privacy Shield law, which is billed as an improvement and successor to the Safe Harbor provisions. It came into effect when the European Court of Justice overturned the Safe Harbor Privacy Principles in October 2015 on the basis of claims that EU citizens had been subjected to indiscriminate mass surveillance. To ensure compliance with this new law, it would be prudent for UK data exporters and US data importers to consult legal counsel and adopt some legally binding terms.”
Michael Hack, SVP EMEA Operations at Ipswitch

Data harder than legal component

“Many businesses will be focusing on the legal aspect of the regulation - in other words how much they can mitigate risk through the renegotiation of contracts with third parties. But the data component is arguably much harder to get right. Achieving compliance, or at the very least addressing the high risk areas to get their data in shape by 2018, requires organisations to act now.”
Christy Haragan Christy is Principal Sales Engineer at MarkLogic

Compliance fatigue

“Many organisations are suffering from ‘compliance fatigue’ where they see that other requirements like PCI didn’t really result in huge fines as originally stipulated. So, they are in danger of sitting on the fence and waiting to see how GDPR plays out and they may be in for a big surprise.

“GDPR will be the first regulation that will be exported globally from the EU. Historically most regulations that affect data security have been imported from the US but with GDPR the EU is taking charge and making it mandatory to protect EU citizens’ data.”
Rashmi Knowles, Chief Security Architect EMEA at RSA

 

Also read:
GDPR: The World needs “at least” 75,000 DPOs
Is the EU-decreed DPO the next big IT role?
GDPR hangs heavy over Europe
EU finally approves GDPR
EU GDPR: Why are firms lagging on preparation?
EU privacy law to require opt-in and make data processors share in responsibility
It’s UK versus Europe in the battle over data protection
UK needs to align with GDPR, even post-Brexit

PREVIOUS ARTICLE

«Live events – VR style

NEXT ARTICLE

Africa: Four undersea cables to watch out for»

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Should the government regulate Artificial Intelligence?