We recently sat down with Jonathan Armstrong, Compliance and Technology Lawyer and Partner at Cordery. Jonathan was a guest in a Tufin webinar entitled “The ABCs of the EU GDPR: Here's what you need to know.” In this blog, we discuss the most pressing General Data Protection Regulation (GDPR) compliance questions.
A recent study by Spiceworks examines the readiness of IT departments regarding the upcoming GDPR regulations deadline of May 2018. The results are troubling: “15 percent of IT departments in the U.K., 14 percent in the rest of the EU, and 21 percent in the U.S. have no plans at all to prepare for GDPR in the next 12 months.” Perhaps even more concerning is that 50 percent said they aren't preparing for GDPR because it's "not a priority at their organization.”
For Jonathan Armstrong, Compliance & Technology Lawyer and Partner at Cordery, these results aren't unusual. In the United States specifically, he estimates that roughly only 25%-30% of companies have started their planning. That leaves a large percentage of companies that haven't begun GDPR prep at all, which Armstrong says is worrying: “Most corporations that don't start now won't be ready in time.”
Why are people procrastinating? While there are a host of reasons why companies aren't prioritizing GDPR readiness, Armstrong pointed out two scenarios that he commonly sees.
- In some cases, those responsible for GDPR feel a sense of shame over the fact that they don't know as much as they should about GDPR. They don't know where to begin and feel overwhelmed, which leads to inaction.
- In other cases, people are burying their heads in the sand and hoping it will simply go away. This is due in part to the attitudes around GDPR at their respective organizations. If the management team doesn't prioritize GDPR, why should anyone else?
Armstrong's advice is for these folks to educate themselves quickly to advance their knowledge of GDPR. He suggests it's an opportunity for people on the tech side of the business to shine by helping their employers prepare for GDPR.
No matter the reason for putting off GDPR, it's a mistake to delay. To begin, there are steep fines for non-compliance – organizations can be fined up to 4% of annual revenue. GDPR also gives individuals more rights to sue companies for compensation, increasing the potential for civil action. In addition, regulators can restrict operations. According to Armstrong, all of this can lead to public naming and shaming.
“If 4% revenue liability isn't a priority for you, what is?”
And yet, this goes back to the original point of non-readiness. What does Armstrong see as a “wake up call” for companies who might be ignoring or delaying their GDPR?
“The reality is that there are two things companies should do to understand the importance of GDPR compliance to their organization,” says Armstrong.
He first recommends that organizations look at the enforcement action in the EU and how organizations from most sectors have been on the wrong end of enforcement of the existing law. It's not just limited to healthcare, for example.
Secondly, Armstrong recommends that organizations consider the value to the corporation as customers start to ask companies tough questions about their compliance. Armstrong referred to one company who has a monthly call with one of their biggest customers to keep them updated on their GDPR-compliance process to constantly assure them that they are going to be compliant by the deadline. “Think of this,” says Armstrong. “If customers aren't confident that you're compliant, they'll find someone who is.”
Armstrong would ask company executives a simple question: “If 4% revenue liability isn't a priority for you, what is?”
Self-help: a hindrance to GDPR compliance
If an organization has made GDPR readiness a priority, has seemingly done their due diligence and checked all the boxes, they appear to be on track to meet their GDPR compliance deadline. But assuming self-sufficiency can position the company to fall folly to its own insular thinking, begging the question “What are some pitfalls or obstacles in the GDPR prep process that companies will face?”
According to Jonathan Armstrong, Compliance & Technology Lawyer and Partner at Cordery, one potential pitfall is the idea of “self-help” – the idea that you can do GDPR by yourself and gain all the knowledge you need by doing a quick search online. The reality is that self-help isn't the best route, particularly when going about something so serious. Armstrong points out that you wouldn't do your own real estate transaction through “self-help,” but you would invest the money to hire a professional. The same is true with GDPR, particularly considering the ramifications of making a mistake. “This isn't a project to save a few thousand dollars on,” Armstrong cautions. “You need a professional.”
In the same vein, companies might make a similar mistake and be tempted to duplicate a one-size-fits-all template that doesn't consider the nuances of their industry, their network, and business requirements. An insurance organization, for example, will need to take a vastly different approach than a manufacturing organization. As a second example, a B2B organization will have different needs for data protection priorities than a B2C organization. Armstrong strongly warns against using an off-the-shelf plan.
Three key takeaways to meet GDPR compliance
For companies that are just beginning to think about how they'll prepare for GDPR, Armstrong has the following advice:
- Draw up a plan, make sure it's achievable, and begin by completing smaller, more manageable tasks.
- Concentrate on the key areas that are likely to cause you the most difficulty (e.g. subject access requests and data security).
- Put a focus on raising awareness. It's critical that everyone knows what is expected, and pre-GDPR awareness training should be started as soon as possible. Armstrong has seen companies have success when they promote GDPR in different ways, like putting up posters in the office kitchen. It's something simple, but as Armstrong says, “It gets everyone thinking.”
Armstrong recommends that when it comes to GDPR, you should not cut corners and make sure that you work with qualified, experienced professionals. He also warns organizations to be on the lookout for false information regarding GDPR. As we get closer to the deadline, Armstrong sees more and more vendors hastily putting out erroneous information around GDPR. In fact, it's becoming so commonplace that Cordery created a “GDPR fake news” video that outlines false information that companies should review before assuming anything as a truth. He reiterates that organizations should only work with a trusted authority or expert.
For companies that are looking to develop a mature security posture while deploying and enforcing security policy across the enterprise, the Tufin Orchestration Suite enables enterprise security and IT teams to employ a comprehensive risk management and policy-driven compliance program across their increasingly complex and heterogeneous environment.
Check out Tufin's webinar with Jonathan Armstrong to learn more about the role of Network Security Policy Management (NSPM) in becoming GDPR-ready.