GDPR Non-Compliance Challenges and Solutions

A Majority of organizations are GDPR non-compliant nearly four months since the regulation went into force, surveys are showing. On the other hand, urgency of enforcement actions with EU GDPR (General Data Protection Regulation) are following expectations by taking a slow, lenient approach to fines for non-compliance.

There has been speculation that some countries Data Protection Agencies (DPAs) intend to be strict on the application of privacy fines, while others may choose otherwise. Because enforcement is doled out on the local level, anything is possible and we won’t know for certain until actions are taken.

What is the Incentive to Comply?

Penalties for non-compliance are business threatening enough for organizations to consider the regulation more than an administrative exercise.  But the long term brand and reputation impact may be even more impactful. The social media giant Facebook, according to its second quarter earnings release, has already incurred a loss of one million monthly active users attributed to GDPR. While the loss is minimal compared to the 376 million European Facebook users (2.2 billion worldwide), it should sound the alarm that there is a potential business risk evolving.

In April this year Facebook decided to be more proactive before the GDPR May 25^th deadline by moving nearly 1.5 Billion users outside of the reach of the EU Privacy law. This action was due to the fact that more 70% of Facebooks users were governed by the terms of service based out of the Facebook International Headquarters in Ireland that was established in 2008 to take advantage of the friendly tax benefits. The 239 million (as of December 2017) North American users were already exempt from the GDPR, as they are governed through the Facebook Headquarters at 1 Hacker Way in California.

A survey by San Francisco-based compliance and security company TrustArc found that only 20% of companies surveyed are GDPR compliant, and 27% haven’t even started their implementation. The June 2018 survey covered 600 professionals who had privacy as an integral part of their job responsibility. While the present report shows some improvements over the previous year’s report, it sums up that the compliance landscape hasn’t changed appreciably.

Common Security Challenges Persist

For example, data security solutions and services provider Thales eSecurity has revealed that 50% of US retailers have experienced a breach in the last year, up from 19% the prior year. “According to the report, 95% of U.S. retail organizations will use sensitive data in an advanced technology environment (e.g. cloud, big data, IoT and containers) this year. More than half believe that sensitive data use is happening now in these environments without proper security in place. Each of these technology environments comes with unique security challenges. As the attack surface increases, unique data security challenges need to be addressed.”

The unpreparedness of companies persists despite concerns predicted by Gartner more than a year ago. The research and advisory company predicted that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements. According to Bart Willemsen, research director at Gartner, “Threats of hefty fines, as well as the increasingly empowered position of individual data subjects tilt the business case for compliance and should cause decision makers to re-evaluate measures to safely process personal data.”

While businesses being unprepared are a serious cause of concern for themselves, their business partners, and their customers, challenges for organizations are easily identified. These challenges are attributable to the complexity and the strictness of the GDPR regulation including:

• Inadequate knowledge and poor understanding of the regulation,
• Designation of qualified Data Protection Officer,
• 72-hour data breach notification window,
• Data Flow Mapping
• Mass shortage of qualified labor force to execute the sweeping changes.

Investment to Understand What You Don’t Know

The initial process of achieving compliance has been costly for numerous organizations. Compliance investment spending exceeding has drastically increased for many multinational companies. According to a recent pwc Survey of C-suite executives form large American multinational companies, 77% plan to spend $1 million or more on GDPR compliance. 9% plan to spend over $10 million addressing GDPR obligations.

GDPR is a threat to your organization if you collect, process, or profit from the currency of personal information. Cambridge Analytica, the former political data firm, today is the poster child for this type of behavior and consequence. But they are not alone, as more and more of our organic world merges with the digital world, exploitation of personal and private data will only increase. The GDPR is meant to help curb these nefarious activities.

The solutions to the GDPR compliance challenges aren’t obvious, but organizations doing business in the EU have to decide if the investment risk is worth it. Organizations must remember that compliance is mandatory, and aligning with wiser business entities that understand GDPR compliance is a brilliant business decision. One of the presumed highest labor or cost investments is the designation of a Data Protection Officer (DPO). A DPO is required when a company’s activities “consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale…”

The 72-hour data breach notification window is another daunting challenge at face value. However, there are certain steps companies can take before, during and after a data breach to help them comply with the GDPR. Proper governance, risk and compliance through a professional integrated risk management software is definite solution for managing an ISMS. Incident reporting and evolving, robust incident response plans are crucial to attaining the breach notification of Article 33 GDPR.

Companies must determine the nature of the breach and the effects of the breach and take remedial actions. Post-breach the organization needs to begin the conversation with authorities and show all the data – at least in phases – that has been collected. Security teams must develop adequate plan to update the incident response process and recommence best practices.

Qualified labor force for data protection (information security or cybersecurity) is always at a premium in every organization. In fact the delta between jobs available in the field and the trained and qualified workforce for filling those positions is increasing day by day. In 2016, the ISACA, a non-profit information security advocacy group, predicted a global shortage of two million cybersecurity professionals by 2019.

Cultivating a risk-aware culture in your organization that germinates a bountiful knowledge tree of information sharing for the protection of private and sensitive data is the crown of GDPR compliance.