Over the past 12 months during this blog series I’ve tried to provide insight into some of the key aspects of the GDPR and how organisations can better prepare for the big compliance deadline day of 25 May.
Now that day is almost upon us, the question many organisations are asking is, “what happens next?”
The truth is that, despite having had years of notice, many are only now waking up to the reality of the new regulatory regime. A recent survey of RSA attendees found just 14% claimed they were fully prepared for the GDPR.
So what can we say about the post-25 May era? Well, the good news is that there’s still time to get your house in order. It might be a cliché these days, but GDPR compliance is most definitely a journey, and starting it with conviction even after 25 May will likely keep the regulators happy.
Despite doom-laden prophecies of heavy fines after 25 May, I believe this is unlikely to happen. UK regulator the ICO has always preferred the carrot to the stick when it comes to data protection and has never even used its current maximum fines of £500,000.
We’re likely to see some enforcement action and rapping of knuckles, but the big fines will be kept in reserve for those truly catastrophic breaches involving serious negligence or cover-ups. Over the past year we can point to incidents at Uber and Equifax, which spring to mind as wholly-preventable breaches which were also handled poorly in the crucial months following the initial incident.
As to when the first fines will land, that is harder to say. There will be a period of learning on both sides, but the ICO is not in the habit of making an example of erring companies if there is not a good reason. Over time, however, we will get to know what kind of mistakes are most likely to result in fines, such as failure to report incidents in a timely manner, perhaps, or failing to apply the latest patches to systems.
Although the ICO recently announced changes to its funding model, another challenge remains for regulators across Europe, and that is funding. It’s unlikely that they will have the resources to go after every potentially non-compliant organisation: they will have to choose their battles. However, that’s not a green light to take the GDPR lightly. This is the new normal, so it’s best to get used to it. Organisations should look to use the regulation to drive competitive differentiation based on enhanced privacy and trust.
Where to start with GDPR
If you’ve yet to start GDPR compliance in earnest, take a look back at previous entries in this blog series for a cybersecurity perspective.
It’s vital to start by conducting a thorough data audit: know what you process, where it flows and what security controls you’ve placed on it. Then you can see whether those controls need updating. As the ICO has mentioned in the past, those who follow the current Data Protection Act will be a large part of the way there already.
When it comes to security controls, the GDPR calls on organisations to pay attention to “state of the art” technology and best practices in order prevent the “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.” This should include a Zero Trust approach to access security, which will require you to verify every user, validate their devices and limit privilege. Following those GDPR guidelines, consider using best-in-class technologies like multi-factor authentication (MFA) to keep unauthorised users out, and machine learning to adapt policies automatically in real-time.
Compliance starts to get a bit tricky when you include supply chain partners — especially cloud service providers that may be located outside the EU. So pay special attention to all aspects of your supply chain and revisit and audit every single partner for compliance. As mentioned, frameworks like NIST and ISO can help from a risk management perspective and will be looked upon favourably by regulators.
Remember, as compliance is a journey this also means that you can’t sit back and relax once your house is in order. You need a dedicated cross-departmental team in place to continuously monitor processes and controls, reporting right up to the board. Keep a close eye on geopolitical developments between the EU and the UK and US. It’s still unclear what the UK’s relationship with the EU will look like post-Brexit, while the new Privacy Shield agreement with Washington is also coming under increasing scrutiny.
The GDPR D-Day is finally upon us, but this is not the end of compliance – it is just the beginning.