The EU is serious about data protection—R U?
- Posted on April 18, 2018
- Estimated reading time 3 minutes
The EU’s General Data Protection Regulation (GDPR) has been on the horizon — and on the minds of CIOs — for almost a year and a half. On May 25, any organization working with data from EU citizens and residents must follow new rules on how it collects, uses, stores and shares personal information. The penalties for non-compliance are steep. The EU is not messing around.
Despite the long ramp-up and the serious consequences of failing to follow GDPR, many organizations around the world don’t seem ready for this seismic shift in data protection norms.
- According to a survey by law firm Paul Hastings, 94% of the Financial Times Stock Exchange (FTSE) firms and 98% of Fortune 500 companies believe they are on track for compliance. Yet those beliefs are undermined by additional statistics that show just 29% of FTSE firms hiring data privacy officers or additional privacy staff, and fewer than half have created a GDPR task force.
- In a recent global research study of executive and IT decision makers across all industries, Avanade found that 83% of executives admit they don’t fully understand the new GDPR requirements, despite 97% knowing they will be impacted.
The cost of protection
At Avanade, we have been working on GDPR readiness since it was announced, ensuring that our own practices are being updated with the goal of achieving the new EU standards, while also helping clients navigate their GDPR journey. As part of our research, we also talked to executives about how they expect GDPR to affect their businesses. When asked where they think their biggest expense will be related to GDPR compliance, here’s what they said (highest response by country):
- Protection of consumers’ privacy: Japan, cited by 80% of executives; Australia, 50%
- Additional security measures to protect data such as new software or technology: US, 40%; UK, 35%
- Additional personnel: Canada, 44%; Germany, 36%
- Non-compliance: France, 29%
It’s almost time to panic…almost
With less than two months to go, it’s crunch time. Whether you’re starting from scratch or putting the finishing touches on your GDPR program, there’s still time to take action. At any point in the project cycle, you can focus and make progress by:
- Identifying the biggest areas of exposure.
- Setting priorities that combine the top things to address (see 1) with some quick wins to gain momentum and keep people on board.
- Focusing communications on the people who will be affected by any changes.
- Get help. GDPR affects any company in the world that does business with, or collects data from, EU citizens and residents – so pretty much every global organization. Take advantage of the learning from people who are further down the road and look to bring in tools and people who can help you apply some GDPR best practices to your organization.
The push to the May 25 deadline for GDPR feels a little like the panic around Y2K. Remember that? Lots of contingency plans and priorities and communications in advance of a hard deadline. Yet, unlike Y2K, when midnight struck – and everyone breathed a sigh of relief and went on with their lives – GDPR doesn’t end on May 25; it just enters a new phase. Data Protection Impact Assessments, or DPIAs, will have to be reviewed and potentially updated every six months for each BU (business process/workflow), or sooner based on changes within an organization.
Welcome to a new era of protecting people’s information.