Businesses might be tired of hearing about the European Union’s General Data Protection Regulation (GDPR), but make no mistake – it’s a really big deal, according to speakers at Advisen’s Cyber Risk Insights Conference in San Francisco.
GDPR, now just under 100 days from being implemented on May 25, dramatically raises the financial and operational stakes for any organization handling the personal information of EU citizens. Panelists agreed that most organizations are not ready for the approaching mandate.
GDPR, with its “right to be forgotten” rules providing greater control of data to citizens and extensive redefining of which data can be considered directly or indirectly identifiable, will put great regulatory pressure on organizations all over the world. The reach goes well beyond financial information and extends into “physical, physiological, genetic, mental, economic, cultural or social” data pertaining to individuals. Many organizations simply don’t know if or how they capture those types of factors in the course of business.
“You might have something that’s not identifiable but next to something else that is identity data, it becomes identifiable,” said Jon Adams, senior privacy counsel at LinkedIn Corporation. This process of “calling balls and strikes without a clear rulebook” leaves businesses with the “odd feeling of operating in a grey space,” he added.
“The data mapping exercise becomes incredibly difficult,” said Emy Donovan, global cyber leader for Allianz. “Those are undefined terms” under GDPR’s Article 4.
Pascal Millaire, CEO of CyberCube Analytics, explained that in 2016, Symantec surveyed 900 companies on GDPR, finding that only 21 percent felt they were ready for the regulation and compliant.
“Perhaps companies could be forgiven, 18 months ago, for being in that situation,” he said. However, Symantec conducted a follow-up survey in the fall of 2017 and the number of prepared companies declined by two points.
Given the fact enforcement powers will be distributed among data protection authorities (DPA) in individual countries, the only way to grasp the GDPR may be to see it in action. Unfortunately, running afoul of GDPR could mean fines and penalties up to four percent of a company’s annual global turnover.