The EU General Data Protection Regulation (GDPR) is causing concern for companies as they struggle to plan for its implementation according to the latest survey to be published (registration required). The survey was conducted by Blancco Technology Group of 511 individuals working in companies with up to 10,000 employees. It throws some interesting light on the lack of tools and long term planning that has to take place.
GDPR is not the only challenge for companies. Google has been the centre of attention for most Right to be Forgotten claims although other search engines and new sites have also had to face requests. What has generally been ignored is that the ruling applies equally to companies as well as search engines and content providers.
GDPR presents a tooling and culture challenge
It might seems strange to talk about data privacy as presenting a corporate culture challenge but that is the reality for many organisations. The cost and complexity of introducing internal data controls means it gets continually sidelined in favour of other projects that are revenue generating. With the explosion of cloud and the amount of data exfiltrated by users as opposed by hackers, there are already a lot of concerns over how to handle data.
Pat Clawson, CEO of Blancco Technology Group said: “Because the EU GDPR negotiations stretched on for the last four years, many organizations held out hope that an agreement would be postponed, or if things went the way they hoped, the negotiating parties would never come to agreement.
“Now that the EU GDPR is a reality and the new privacy rules will be ratified by the European Council in early 2016, many organizations have a considerable amount of work ahead of them to align their IT governance and data protection programs with both regulatory and customer demands.”
The report covering the survey data raises six areas that companies need to take on board as they prepare for GDPR introduction:
- The rules apply to both data collectors and data processors: This means that when data is purchased companies need to ask questions about provenance. The market around buying and selling lists of names will certainly be affected and this has an impact on marketing teams. If the data is retained then it will need to be regularly cleaned and validated. This is likely to lead to a significant cost jump for data management or a risk of being fined.
- Right To Be Forgotten: This is not just about search engines and content providers. Every company must be more open about what it holds and make it easier to delete or at least put information beyond access.
- Withdrawal consent: This is likely to lead to increased amounts of small print in online contracts and end-user licence agreements. One concern is companies bullying users into accepting the handing over of data in order to use a product that they have purchased such as software. For social media applications whose entire business model is predicated on the data they obtain from users such as contact lists and images, this could create significant costs.
- Breach notification: The requirement to notify authorities within 72 hours of a breach being discovered will continue to be contentious. IT departments will need to ensure that there is no opportunity to hide breach discovery. Corporate legal teams will have to provide a constantly updated set of processes to ensure that breaches can be reported without being held up due to overly complex internal workflows.
- Parental consent: The amount of apps being sold to children and the increased use of software and data inside games and toys has meant this is an important issue. The challenge will be how to prevent a child pretending to be a parent and gaming the system.
- Fines: This has seen a significant adjustment. The 4% of worldwide turnover is still in place but has been capped at €20 million. For large companies while this is serious it is not business threatening. For smaller companies, especially those where margins are tight, this could be business threatening.
Too many companies unprepared
Going to the heart of Clawson’s statement is the level of preparedness and tooling inside companies. 40% of the respondents admitted to being unprepared for GDPR despite the fact that privacy has been a headline item for years. Among the problems highlighted are:
- 41% of IT professional have no idea of what the process is for removing outdated customer data
- 25% have no idea how long it would take to implement new tools and pass a “right to be forgotten” audit
- 16% struggling to find the right data remove software
- 15% have no clue about how prepared their organisation is
- 9% don’t know where or even when to start
All of these point to a failure of corporate governance and should have the board asking what the CIO and CISO are doing. The lack of process for managing privacy is a serious concern. Many companies have assumed, wrongly, that the focus of the “right to be forgotten” is about search engines and content creators.
For many years now people can ask what data a company holds and then request it be deleted. While there are exceptions that allow companies to refuse or delay requests these are limited. There are challenges in the way data is often backed up and archived but there are also tools that allow access to data to be blocked which is seen as being acceptable to regulators.
Data erase tools were highlighted by 48% of respondents as being the most valuable technology to help with GDPR and the privacy. Interestingly encryption key removal tools (26%) and malware removal tools (10%) were also specifically highlighted. With the role of encryption now becoming a sensitive political issue there are reasonable concerns that there could be a conflict between GDPR and newer legislation in some countries.
One step that privacy campaigners have asked for is some form of regular audit around privacy and data protection. This is not in the GDPR nor is there any evidence that it will be introduced soon. However, it is within the purview of any Data Protection Regulator within Europe to order an audit. It would be interesting to see how often this has happened across the EU with figures currently unavailable.
<Next: GDPR as a Global standard and a 12-step plan>