10 Things I Have Learned Helping Organisations Prepare for General Data Protection Regulations (GDPR)
Today marks the implementation of the European Union’s General Data Protection Regulations – GDPR. Happy Birthday GDPR!
For some time now I have been helping organisations prepare for this day. Along the way, there have been some surprising twists and definitely some unexpected turns. But what I can say is that those clients who embrace GDPR are emerging with a clear advantage. They are more agile, more responsive to their customers, more compliant to modern standards, have lower risk exposure and better prepared for the modern economy.
In this blog, I’d like to share with you some key learnings.
1. GDPR compliance is a journey, not a destination
OK, it’s a cliché but it’s an accurate one. Applying privacy management and data protection to personal information that organisations have been collecting for potentially decades isn’t easy. It takes some serious planning and commitment. Having got there you realise that you have to maintain those disciplines, and maintain that capability, else your compliance recedes and you jeopardise the organisation’s ability to collect new data and offer new services.
Moreover, GDPR start date isn’t the end, its just the beginning. There are still the implementation and enforcement phases to go. In Australia, the Mandatory Data Breach Notification legislation has just been launched, with the OAIC going through an “educational” phase before they presumably get tough. The new Australian Government Agencies Privacy Code comes into effect on July 1, and various state governments including NSW are looking at beefing up their privacy laws. Not to forget those from the dark side, who are part of the reason for these legislative changes. In 2019 the Cyber-crime Industry is forecast to be worth $2.1 Trillion. It’s already larger than the global trade in Marijuana, Cocaine and Heroin combined.
Love it or hate it privacy legislation is going to be with us for a long time
2. Think you aren’t affected by GDPR? You’re probably wrong!
So, my organisation is in Australia, GDPR doesn’t affect me right? Wrong! GDPR is applicable to every organisation that collects or processes personal data of European Union citizens, no matter where that organisation is located. Offer a service to EU citizens or collect their data and you are subject to GDPR.
Moreover, here’s a little-understood implication of GDPR. Under GDPR if you receive data from an EU based organisation as part of a B2B relationship and you suffer a data breach, then that EU organisation is also considered to have suffered a data breach. You can expect your EU based customers to update their contract with you to include an indemnity clause that passes the penalties and other costs along to you, should you be the cause of the breach. GDPR expects Business to take appropriate control measures in their relationships. This is having an effect on business to business relationships between EU based and non-EU based organisations, where GDPR compliance or GDPR penalty indemnification is seen as a competitive advantage, if not a pre-requisite.
3. Without investment in stakeholder and employee engagement and cultural change you’re destined to fail
Privacy and data security are business challenges first and technical challenges second. Consider this example; You are implementing data controls in two organisations which are data rich and have a highly collaborative ethos. Employees exchange new and existing data both internally and on cloud-based collaboration tools.
In one organisation employees and stakeholders understand why data controls are being applied. They embrace the reasons for the change (some more or less willingly than others) and comply with both the detail and the spirit of the data controls being implemented. In this organisation data sources are voluntarily identified, data controls are quicker to implement and well understood, productivity is minimally impacted and in fact may rise, compliance is achieved more cost-effectively and customer personal information is safer.
In the other organisation the reasons for, and details of, data controls are not understood by employees and stakeholders, who are blindsided by their implementation. In this organisation data sources are hidden, data controls take extensive periods to implement and are actively resisted, productivity is severely impacted, compliance is doubtful and expensive, and who knows where the customer personal information is?
If employees and stakeholders don’t understand what we are doing, and more importantly why it is being done, they will find a way around it or work against it. Ensuring employee and stakeholder understanding, engagement and participation is vital.
4. Privacy by design and default is essential and cost-effective.
Privacy by design and by default is now mandatory under GDPR.
Privacy by Design means that organisations need to consider privacy throughout the complete development process of new products, processes or services that involve processing personal data. Privacy by default means that when a system or service includes choices for the individual on how much personal data he/she shares with others, the default settings should be the most privacy-friendly ones.
Implementing Privacy by design and by default is not only cost-effective in development of new products and services it also reduces operational costs of complying with data requests related to GDPR and can improve market perception of your organisation. It’s also a lot cheaper than retrofitting changes after a product or service has been implemented.
5. Those big sanctions are there for a reason, and it’s effective
I have spoken to a number of IT execs and managers about GDPR sanctions. When I mention “Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher” I have had lots of winces, heard many times, “say again?” and “how much?”, and seen quite a few shocked faces. I am yet to hear a “no worries” or “yup, got that covered”. Those big sanctions get attention at senior level, no-one wants to be that (or that ex) team member who cost the organisation €20 million, or 4% of the worldwide annual revenue.
The ability for the GDPR to also levy sanctions against individuals is just the cherry on top, and don’t forget there’s always the possibility of civil action after the Privacy Commissioners are finished with you.
6. If you are not sure what Personal Information your organisation holds, you are not alone.
When I ask those same IT execs and managers ‘do you know all of the personal information your organisation collects, where it is and who has access to it’, I have never had a ‘yes’ answer.
Organisations collect massive amounts of data, in fact for some organisations its all they do. Its at best very difficult and at worst impossible for any individual to know where all that data is. That’s why Privacy by design and Privacy by default are so important. Its also why cultural change is vital.
Most importantly if you do feel that you don’t know what Personal Information your organisation holds, you are not alone, in fact, in my experience, you are in the majority. Don’t let that be a barrier to getting started.
7. Data protection solutions are available.
Your greatest challenge is not technology. Your greatest challenge will be mobilising your organisation to meet the requirements of GDPR, preparing a team, identifying what data you have or will have, and developing an agreed plan to implement GDPR compliance. Technology solutions are important but are further from the top of the list than you might think.
That said when you are ready there are some surprisingly comprehensive solutions available. From data discovery and classification to data loss prevention, to perimeter and endpoint defence, to identity, access and governance, there is an abundance of tools available. The trick is to know what data you collect, have a plan to make collection and processing GDPR compliant, and to evaluate and employ technology tools within that context.
8. Data protection is a game of percentages
When protecting data one positive is that its a multi-layered discipline. Weaknesses in particular areas are not catastrophic and can be mitigated by strengths in others. A strong perimeter defence can mitigate an unsegmented network. Limited data encryption can be mitigated by good identity and access management. A good patching regime and a powerful awareness and cultural program can mitigate a lot of other weaknesses.
The point here is not to say that you should accept weaknesses. You should not, you must always keep working at them, a 1% improvement here and a 2% risk reduction there soon add up. The point is that you have options. If you are limited in one area, say network topography, then you can take actions in other areas to improve protection and lower your risk profile.
9. It’s never too late to start, in fact, you have to.
The words “reasonable steps” are prevalent throughout privacy legislation: “entities must take reasonable steps to implement practices, procedures and systems to ensure compliance with the APP” (Australian Privacy Principles, -Australian Privacy Act), or “the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure” (GDPR).
“Reasonable steps” is the standard to which organisations are held to account in the event of a data breach or failure to meet an individual’s rights.
Many organisations face significant challenges to ensure compliance with GDPR. What’s important is that they recognise those challenges and begin the process of meeting them. Doing so at least gives the organisation the ability to make some kind of argument or take some kind of position that they are taking “reasonable steps”. Organisations that have taken no action to identify compliance challenges or no action to address identified challenges have no ability to make an argument and no defence. In the event those organisations have a data breach or failure to meet an individual’s rights, they are facing some very scary sanctions…
10. Embracing GDPR might be one of the best things your organisation has ever done.
Love it or hate it privacy legislation is part of the business ecosystem now.
An organisation that enthusiastically embraces GDPR is going to emerge with substantial advantages. Your organisation will have privacy by design and by default embedded into its practices, your customers’ personal information will be better protected, and your stakeholders and employees will have a better understanding of how they should use that data.
Your customers are going to feel that they have an appropriate level of control over their personal information which can only be positive for your relationship with them and your organisation’s brand. You will have improved B2B relationships which is an advantage over your less organised and less enthusiastic competitors.
Privacy compliance isn’t in the future, it isn’t some ideal state, its here, now, this very day!. Seize the moment to engage and commit your stakeholders, grasp the nettle, rise to the challenge and you might just find that embracing GDPR was one of the best things your organisation has ever done.