The clock is ticking on getting ready to comply with the EU General Data Protection Regulation (GDPR). EU regulators will start enforcing it on May 25, 2018.
GDPR is less than a year away, and it’s quite a challenge to get ready for. Becoming compliant is not something that can be achieved overnight, or in a week, or in a month, or even in quarter. A lot of privacy and security controls must be put into place or adapted to satisfy new EU standards and rights.
GDPR Compliance Preparation Is Currently Lagging
Despite the mammoth task ahead, many companies are likely not going to be ready in time.
- A recent survey found that 61% of companies had not even started the task of GDPR implementation. Only 11% said that GDPR implementation was “well underway.”
- According to an estimate by Gartner, only 50% of companies will be in compliance with GDPR by the end of 2018.
- According to another survey, 73% expressed concern about being in compliance by May 25, 2018.
- A survey conducted in March 2017 indicated that there are many areas where companies need to step up their privacy programs to meet the demands of GDPR. Many companies were still stuck on the early step of doing a data inventory.
Why Sweat GDPR?
“So what?” one might ask. “Why should companies be sweating over GDPR?”
The most common answer is that GDPR has fines up to 4% of worldwide global turnover. These are potentially enormous fines. If issued, they would not only wake up the C-Suite, but do so by pouring a bucket of ice water on their heads.
“But how many of these fines will likely be issued?” one might ask. “Will they really bother to enforce against most companies?”
I think many C-Suites might be discounting the GDPR risk because they don’t think they will likely be the ones nabbed by regulators. After all, as with most privacy and security regulatory enforcement, regulators only go after a small fraction of violators.
Of course, EU regulators could start with some bold enforcement actions and big fines, making a loud statement and scaring companies into action. There are, however, many complicated factors in the EU that could temper enforcement of GDPR. We’re not likely to see GDPR enforcement begin with hundreds of cases with huge fines.
The Major Force that Will Drive GDPR Implementation
There is a force that will drive GDPR implementation quite effectively. It’s a force that is often hidden and unsung. What is this force? It’s other companies.
The GDPR places obligations on companies that have vendors that process personal data. Many large companies have hundreds of vendors that are processing data.
Organizations that control the collection, use, or storage of personal data are referred to “data controllers.”
Organizations that store or process personal data for data controllers are called “data processors.”
Both controllers and processors are regulated by the GDPR. And, controllers are on the hook under GDPR if they do not ensure that vendors who process their data do so when compliant with GDPR.
According to the GDPR Article 28: “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure he protection of the rights of the data subject.”
GDPR Article 28 also states that contracts with processors must require GDPR compliance. Processors that subcontract with other processors must do so only upon authorization of the controller and with a contract requiring that the other processor follows GDPR. The result is data protection all along the chain of data custody.
The result: Controllers will want to reduce risk and mandate that processors be compliant with GDPR. Processors will need to be compliant or else they risk losing their vendor relationship with the controller.
Controllers have every incentive to be tough on vendors. The vendors are the ones competing for the business of the controllers, so the controllers are in the driver’s seat. If a particular vendor is falling short, the controller can find another that is able to comply with GDPR.
So my advice to vendors is that you better start working on GDPR implementation. If you don’t, you’ll be at a major competitive disadvantage. You’ll risk losing large contracts with companies to process their personal data.
A vendor might be able to survive a GDPR fine. But a vendor might not be able to survive a lot of lost business.
GDPR will have an impact far beyond how EU regulators enforce it. This is because of the intricate network of contractual relationships that companies have with personal data. GDPR will start sending some electricity through this network, and it will start lighting up.
Over time, this will lead to GDPR’s privacy and security controls becoming implemented more widely and eventually becoming generally-accepted business practices.
Instead of seeing GDPR as a negative, companies can also see it as a positive. Being ready for GDPR will be a competitive advantage.
Other Resources of Note
- My GDPR Cartoon: Preparing for GDPR: A Year to Batten Down the Hatches
- My Guide to GDPR Training
- IBM Security Intelligence Podcast, Data Privacy and GDPR: What You Need to Know
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum (Oct. 4-7, 2017 in Washington, DC), an annual event designed for seasoned professionals.