One year into the GDPR, more than half of businesses are still struggling to get compliant. A recent IAPP conference on the GDPR compliance landscape closed on a sombre note: “We expect 50 percent of covered companies are still in the process of GDPR compliance and it will likely go on for another couple of years.” Another survey released May 28 reported that 75% of businesses currently doubt their ability to comply with the regulation.
What’s holding businesses back from GDPR compliance? The research points to two main areas:
Data Breach Management
The GDPR changed the obligations for data breach response and preparation. If organisations don’t want to get fined, they need to notify their Supervisory Authority of a data breach within 72 hours of detection. This notification must contain specific information about the nature of the breach and the circumstances leading up to it, as well as actions to mitigate it and any future breaches.
Even if an organisation complies with the rather speedy notification time, it could still get hit with a fine if it didn’t demonstrate that it had sufficient “technical and organisational measures” in place to detect or mitigate the breach. This seems to be the crux of business compliance failure. Mark Schreiber, speaker at the IAPP conference and partner at law firm McDermott Will & Emery, explains: “EU companies never reported data breaches. They don’t use forensic vendors. They don’t understand malware vectors and attack coordinates… The idea that EU companies could manage a 72-hour notification requirement was optimistic at best.”
Schreiber’s lament, while poignant, makes the GDPR security requirements seem far more daunting than they really are. Small and medium-sized organisations don’t need to understand “malware vectors” (a fancy way of saying the virus that just infected your computer) or “attack coordinates” (where the virus got into your system) to get on the right side of compliance. In most cases, the difference between a fine and a slap on the wrist could be inexpensive and ubiquitous technologies that have existed for decades, like an antivirus scan, a firewall, or SSL. Training in proper data protection practices is probably the best way to avoid a fine and protect your organisation, since 97% of malware attacks exploit the human, not the technology. If your organisation hasn’t done this yet, bear in mind that the costs of dragging your feet are a lot bigger than they used to be.
Under the GDPR, individuals have the right to access any personal data an organisation has on them, along with other information about why they have the information, how long they’ll keep it, and who else has access to it. This critical right is tough for businesses to enable operationally.
Data access behind the scenes
First, you have to make sure that the individual is who they say they are (called a Customer Identification Program), a process in which only 22% of businesses are confident in their abilities. Second, you have to make sure that you know what personal data you have on them and where it is. Third and fourth, you need to be able to retrieve that information and present it to them in a structured format that they’ll be able to understand. Finally, you need to offer adjacent rights associated with the data, such as portability, rectification and erasure.
Few businesses are going to have an easy time implementing this, and no businesses offer real out-of-the-box technical solutions to do it for you. (Trust us, we’ve tried it ourselves.) Why? Because businesses have their data all over the place, in different formats (including physical files), behind different firewalls, and labelled in all sorts of unclear and disorganised ways that only you’ll understand if you remember all your old abbreviations. The best you’ll get without hiring on-site consulting is a step-by-step process to help you walk through each requirement.
Luckily, Sovy can help you walk through each step and help you build a data inventory (another tough requirement under GDPR Article 30). From there, we guide you through identifying, structuring, and presenting your data in a portable format. Sovy also:
- facilitates and tracks your data breach notification process, providing proper templates and forms designed to meet Article 33 and 34 requirements.
- provides courseware in data protection and GDPR compliance for different functions of your organisation (IT, marketing, data protection officer).