What to do in the final weeks before GDPR hits
On average, only half of the companies in retail, financial services or technology and software feel they will be in compliance with the European Union's General Data Protection Regulation by the May 25 deadline.
That doesn't mean that half of the companies haven't given any thought whatsoever to the new regulation that protects European consumer data. But it likely means they could end up in danger of fines that, at the high end, could be up to 20 million euros or 4% of a company's annual global revenue.
It's a race to the finish line that also affects U.S. companies with European customers. In these final moments, every company must at least show good faith in attempting to follow the law and having procedures and technology in place to do so.
"We are weeks away and no one really knows to what extent or how quickly the EU will enforce it," said Steven Grossman, vice president of product management for Bay Dynamics, a cyber risk analytics company focusing on insider and third-party vendor threats. "If a company hasn't given it the necessary attention up until now, they certainly won't be compliant overnight."
For any company that is behind, it must at least "know what it needs to know," Grossman said. "It's like a triage approach, like an emergency room in a hospital where you assess what you are looking at and put a plan together, addressing the greatest exposures and working your way down."
Because the GDPR essentially affirms that European consumers "own" their data and companies have no right to store it longer than necessary or use it for any other purpose than its initial use, companies that handle or store data have much housekeeping to consider.
It will boil down to company policies and procedures for the most part, in addition to ongoing checks and balances, as well as stronger customer service to handle consumer inquiries regarding their data's location or planned use.
Various corporations and security companies have come to the forefront with services to help with GDPR compliance. Mastercard and IBM established Ireland-based Truata as a trust to establish new standards in data hosting processes of anonymization and pseudonymization that come into play in assuring that parts of a consumer's full set of personal information or credentials are stored in different network silos.
Bay Dynamics offers cyber risk monitoring measures and best practices for data storage, while some companies are focusing on backup data software and other compliance measures to help ease the transition to GDPR.
Unlike similar security directives, such as the Payment Card Industry data security standards, the GDPR does not deliver instructions from the European Union regarding how companies should establish network configurations or fraud alert integration.
"By its nature, GDPR does not prescribe how you need to do things, it prescribes what you need to accomplish," Grossman said. "It says something like 'you need to delete all personal data upon request,' but doesn't give directives on how to do so."
In some ways, that will make GDPR more effective, as there won't be one standard operating procedure that a fraudster could crack and then create havoc with multiple companies.
Among many other facets, GDPR says companies have to obtain more explicit consumer permission before using personal information for marketing or advertising; they have to allow consumers to inspect the data they've collected and have it corrected on request; allow downloads of their data for the purpose of taking it to a competitor; and allow challenges of algorithmic decisions and requesting that humans make those decisions instead.
To make sure a company can eventually get there, it immediately has to appoint someone responsible for the overall plan with a title of chief security or data privacy officer.
"This type of person would not be responsible for the actual data privacy, but would be responsible for getting the company in the right place to meet regulations," Grossman said.
Another key step in the final weeks is to make sure the company fully understands what consumer personal information it has on file, where it is stored, who is handling it and processing it and who has access. A company is also responsible for understanding what other third-party tech suppliers have the same data and how they are handling and protecting it.
"You can't protect what you don't know is there," Grossman said.
A documented plan with the highest priorities established as well as who is responsible for those tasks will go a long way toward being compliant, Grossman said. "In this way, you can come to the regulators, say you know you are late, but we have done our assessment and this is our plan."
More so than other data protection rules, GDPR will call for constant monitoring, follow-up and reporting because of the consumer data rights component. A company's customer service department must know how to answer questions about data use and storage upon request.
"There are always new processes and new places to store data, and you have to report those," Grossman said. "If regulators come knocking, you need to show them how your company has adapted new technology to GDPR."