As we move toward the 25th of May when the European Union General Data Protection Regulation (GDPR) will come into force, most enterprises are focused on just two questions: Are we affected? And, how do we comply?
The past months have made it clear that GDPR is more far-reaching than some initially thought. Your company is subject to this new regulation if it does business with just one EU citizen or in one EU location – no matter where it is headquartered or where else it does business. As a result, you currently may be in haste to achieve full GDPR implementation, including making changes to achieve both compliance by the deadline as well as maintain ongoing compliance.
Beyond the near term, however, I see GDPR as a fantastic opportunity to unify and simplify the way organizations and governments defend and protect data. GDPR is not a directive, but a law that does not allow for varying interpretations by local governments in the 28 EU countries or beyond. It explicitly mentions technologies, such as encryption, that help protect enterprises against cyberattacks. Furthermore, GDPR implicitly encourages discipline that improve cybersecurity, such as data loss protection, identity governance and monitoring. As a result, I expect GDPR to be a catalyst for cybersecurity investment over the long term – and to make these investments more effective, since companies must meet identical high standards across all EU countries where they do business.
GDPR will spur investment in the following areas:
- Privacy safeguards. At the core of GDPR is the Privacy Impact Assessment (PIA), a process to determine where data sits, in which format, who manages it, for how long, etc. After this initial assessment comes protection and defense – starting with defining processes and protocols to know and manage who has access to what data. These requirements will spur additional investment in preventing and addressing unauthorized access.
- Monitoring. GDPR’s ongoing compliance mandate requires enterprises to prove effective privacy safeguards at any time. This requirement is far more rigorous than for periodic audits, which merely show results – good and bad – at a given time. Investment in improved monitoring as required by GDPR can only benefit enterprises that seek to avert, detect and respond more quickly to a potential cyberattack.
- Breach communication. GDPR requires companies to inform the appropriate regulator of a data breach within 72 hours of the moment they know a breach occurred. The law is silent about whether an organization will incur liability if it doesn’t detect a breach that quickly. My opinion is that ignorance will not be considered a valid defense. Reporting a breach several months after it occurred will cause regulators to question the quality of a company’s control and reporting capabilities. Therefore, enterprises have new incentives to invest in disciplines that improve cybersecurity monitoring and reporting. It’s also interesting to note that the first drafts of GDPR called for data breach reporting to occur within just 24 hours, which makes me wonder whether regulators will choose to shrink this communication window over time.
Any sweeping new regulation may have unintended consequences. GDPR sets forth privacy obligations, enforcement and penalties that differ from those in other regions of the world, requiring multinational enterprises to carefully consider and navigate any differences. In addition, an organization’s GDPR-required Data Privacy Officer (DPO) may not always be in sync with the departments tasked with the mechanisms to ensure data security, development, infrastructure, network management, etc.
Overall, however, I consider GDPR something to celebrate. It sets uniform standards for data privacy and security, and provides incentives for enterprises to invest in cybersecurity that could reduce cybercrime around the world.