This is an atypical post for me, since I try to keep my topics light and add a bit of humor. The subject of regulatory compliance is not at all humorous in light of the serious ramifications this newish regulation could have on organizations that process data in the EU or organizations outside of the EU that offer goods or services to individuals to the EU.
You may be under the impression that the General Data Protection Regulation (GDPR) is just another compliance requirement, much like its many friends: SOX, HIPAA, PCI DSS, GLBA, FERPA, to name a few. Although these regulatory friends cross various markets, they have commonalities rooted in their compliance requirements, but they also have their differentiations. Many of their commonalities are rooted in the laxity the governing bodies allow in terms of achieving or satisfying the varying degrees of requirements listed by the regulations and the interpretation of those requirements.
GDPR was adopted by both the European Parliament and the European Council in April, 2016, and will come into force starting May 25th, 2018. In my opinion, this was a very quick adoption and has caught many US organizations by surprise. I suspect that once GDPR goes into effect, it will catch many more by surprise, especially as organizations find out they aren’t compliant.
If you are familiar with any of my posts, you know I write from the perspective of having been in and around the Identity Governance and Administration (IGA) space for the last 20 years. I am publishing this article as a PSA to all those who think that the GDPR regulation will be just like the others and you will, over time, be able to back into these requirements with laxity being provided by the EU.
GDPR applies to “personal data” and “sensitive personal data,” the meaning of each of these terms is somewhat open to interpretation, which is a little worrisome. The indications are that it could mean anything from an IP address to contact lists, personal identifiers, HR information, customer information and quite a lot of other information (see Article 9) and then the various ways in which you need to potentially dispose of this information.
My perspective, in reading the regulation, as well as my interpretation coupled with my knowledge and understanding of the intent of the EU, is that this is not a warning shot sent over the proverbial bow. GDPR is real, it is almost here, and it is groundbreaking in its position on protection of personal data and the requirements that organizations will comply with for personal data rights.
The most startling aspect of GDPR, is what an organization could potentially have to pay, in terms of fines. Potential fines can come if there is a breach, an organization doesn’t process an individual’s data in the correct way, or if an organization requires, by the conditions of the regulation, a Data Protection Officer (DPO) and doesn’t have one. All or any of these could result in fines, but what is unique is that it is not a set penalty, it is a penalty percentage ranging from 2%-4% of the organizations global turnover, depending on the size of the organization and the severity of the offense and the ruling of the governing body.
This isn’t to say that there won’t be any leniency in the above scenarios, and it has been stated that if an organization is working towards adhering to compliance and can prove what they are doing, they may be able to stave off fines for a short time, but not into perpetuity. The real question is, what is your organization doing right now about GDPR compliance? Putting your head in the sand on GDPR is not the way to go in this situation; the EU is very serious, and they have had data compliance requirements in place previously. This is the newest evolution of a serious strategy towards data privacy.
If you have questions about how GDPR might affect your organization, I would encourage you to message me or any other consulting company that might be able to help you evaluate your current position and assess your risk. My company and others can help get you a better understanding of how GDPR might touch your organization or how you might be exposed, in general, around data privacy.
My utmost and sincere advice is, don’t wait until May to start thinking about taking an initial look at GDPR compliance; it might be too late to start then.