Now that May 25 has past, it’s time to push the panic button if you don’t comply with the European Union’s Global Data Protection Regulation (GDPR). Right?
Judging from the alarm bells sounding across the blogosphere, that’s what many would have you believe. If you haven’t reached GDPR compliance by the deadline, they say, you should be afraid. I agree—but not for the reasons you might think.
How did we get here?
Organizations have had two years to comply with this sweeping regulation, and perhaps should have seen it coming long before. The GDPR was in the works, and in the news, for four years before being adopted in April 2016.
But maybe some CIOs weren’t paying close attention. The GDPR’s predecessor, the Data Protection Directive (95/46/EC) affected only businesses located within the EU. Now, though, the GDPR will apply to every organization worldwide doing business with EU resident citizens.
That means, essentially, that every enterprise with an online presence must be in compliance with the GDPR—because being online means collecting or processing data, and data privacy is the GDPR’s reason for being.
Read the law, and you’ll see: data privacy is human privacy, it states. And, since the Data Protection Directive was enacted in 1995, the internet has grown by leaps and bounds to become not only a part of daily life, but, in many cases, a driver of it.
In return, our online behaviors get tracked, with sites collecting data we provide voluntarily as well as, often, unknowingly. The GDPR acknowledges that the situation has changed, and so, now, will the rules.
In enacting the regulation, however, the European Parliament and the Council of the European Union recognized that GDPR compliance wouldn’t be easy. So, although they finalized the law in 2016, they granted a two-year grace period to give businesses time to make needed changes.
Among the 99 controls organizations must comply with:
- An expanded definition of “data.” Not only does the term apply to names, email addresses, and phone numbers, but, under the GDPR, to IP addresses, as well. And “special categories” including religious preference and gender and sexual identity must be handled in very specific ways.
- Consumer notification and “opt in.” The old “opt out” feature is no longer good enough: EU resident citizens must agree to the use of their data for specific stated purposes, and must be notified again, and opt in again, in those purposes change.
- The right to back out. If data owners ask for their data back, the organization must provide it promptly. EU citizens can also request that their data be erased from any system—the infamous “right to be forgotten” provision.
And the onus is on the enterprise, if challenged, to document compliance with the GDPR.
No excuses for noncompliance
The penalty for non-compliance is steep: 4 percent of annual global revenue or 20 million euros, whichever is higher.
Yet a recent survey shows that 60 percent of businesses will miss the deadline. Many say they lack the budget and staff knowledge to implement all the changes the GDPR requires.
Should these businesses be worried? Yes. But not necessarily because of the threat of fines. As the European Commission’s infographic demonstrates, penalties for noncompliance follow a four-step process:
- A suspension of the right to process data
In other words, if your organization is working toward GDPR compliance and can document your efforts, the EU probably won’t penalize you if you haven’t finished by May 26.
If your systems are hacked and the data you have collected gets breached, however, you may be in trouble—especially if you do not meet the mandate requiring you to notify the authorities and affected data owners within 72 hours.
The real reason to worry
In today’s climate, however, you incur another risk in failing to comply with the GDPR: your business’s good name.
With recent news reports of social media sites selling users’ personal data, citizens around the world are increasingly concerned about their own data privacy.
How would your enterprise’s reputation suffer if you were reprimanded or fined by for improper handling of personal data under the GDPR? What would happen to your brand if you were breached?
Amid all the “Doomsday” scenarios being painted right now around the May 25 GDPR compliance deadline, public perception of your business seems the most exigent reason to double down on your compliance efforts.
Getting caught with your GDPR pants down would be bad enough—but even worse in this day and age, when privacy is top of mind.
How not to worry
If you haven’t yet met the requirements of the GDPR, now is the best time to accelerate your efforts and to get your documentation in order. Are you tracking the data your organization is collecting or processing from EU citizens? Do you have their opt-ins handy in case you need them? Have you trained your employees on the GDPR, and have their attestations available, as well?
With 99 controls to meet, the task of GDPR compliance can seem overwhelming, especially if you’re using spreadsheets to keep track of your progress.
But what if you could deploy software to do most of the work for you—checking your systems to see where you already comply and where you don’t; providing checklists of tasks that you need to perform to get into compliance; documenting your efforts and progress; automating workflows; performing periodic self-audits; measuring employee comprehension; notifying you when the law changes and telling you what you must do in response; and more.
Reciprocity’s ZenGRC solution performs these tasks for your organization, and provides a centralized “System of Record” dashboard showing your compliance status and “to dos” in a single glance. Ready to use in just four to six weeks, ZenGRC can help your enterprise reach GDPR compliance more quickly and easily.
What is more, ZenGRC’s sophisticated algorithms can check your systems for compliance with other relevant platforms, as well, such as HIPAA, SOX, SOC-2, and more. Comparing and contrasting, it can apply each action you perform to compliance across the board, automating where possible—doing the work so you don’t have to.
Running a business isn’t easy, especially as technology and the rules around it seem to continually change. Trying to keep up can be so stressful.
Taking a Zen approach can help. ZenGRC is designed to take the worry out of GDPR compliance, step by step—freeing your mind to focus on your customers.
Call Reciprocity today to ask an expert how ZenGRC can make GDPR compliance a simpler, more streamlined experience for your enterprise.