GRC Tuesdays: GDPR Is Complicated Enough, Let’s Not Obscure It with a ‘Compelling Event Gold Rush’
As many of you will know, the revision to the European Union (EU) data protection law is the General Data Protection Regulation (GDPR) or Regulation (EU) 2016/679 if you want the version. It becomes enforceable on 25th May 2018, it was already adopted by EU member states in April of this year, and it doesn’t require their individual approval.
It threatens significant fines for mishandling the storage or processing of a “natural person’s” personal data: the maximum of 4% of worldwide turnover of the previous financial year or €20 million, or the maximum of 2% of worldwide turnover of the previous financial year or €10 million, depending on level of compliance. The definition of personal data is significantly enhanced from the previous definition, including content that enables someone or software to link that information to a person. For example, it can apparently include my IP address.
Why It’s Complicated
What isn’t always obvious is that GDPR applies to any organisation that stores or processes personal information of an EU resident, not national. Its authority is triggered by a person’s activity taking place within the Union, not which nationality/citizenship they hold while they do that.
Furthermore, it is not dependent on which country the storing or processing of personal data takes place. So I could be a South African buying something on-line from my hotel room in France from a company in the USA, and technically, that USA company will need to comply with GDPR.
It will be interesting to see what GDPR means in the context of Brexit and the de-regulation stance of the new USA president elect. Before these changes, both countries indicated they would keep in step with the sentiments, and potential sanctions, of GDPR.
How Far Does It Go?
The regulation’s reach extends to:
- ‘Levels’ of importance of personal data
- Right to erasure
- Data retention consents
- Breach notifications within 72 hours for a significant event
- Protection by design by default
- Data portability
- Profiling restrictions
Companies above a certain size are required to appoint a Data Protection Officer whose duties include demonstrating GDPR compliance to the Supervising Authority and submitting to periodic audits. Their authority is from the Supervising Authority, they’re independent of the board, and cover compliance, business processes, and cyber resilience.
Thirty-nine out of the ninety-nine GDPR Articles require evidence of compliance or process—the potential burden of evidence and due diligence appear daunting. And some terms in the regulation still require additional explanation.
GDPR is one of the most intrusive and corrective regulations, ever.
This is probably why companies have been given the 2+ years to embrace the necessary changes to comply by May 2018. And also why it’s likely to become a compelling event gold rush during 2017.
What Won’t Help Companies
Compelling event gold rushes are characterized by a proliferation of startups, smart new niche solutions, and adaptions of existing solutions (which may sound like they cover more than they actually do). Throw in related buzzwords like IoT, IoE, Industry 4.0 and you have a complex and challenging territory populated with a lot of clamour about GDPR compliance offerings. It can be hard to sift out what is most relevant.
Businesses are already heavily regulated and being asked to do more with less, striving to drive down the cost and complexity of IT infrastructure. What they don’t need is incremental point solutions to sticky tape over GDPR pain points or gaps as they become evident.
What WILL Help Companies?
What they do need are a comprehensive requirements description, a pragmatic adoption roadmap, and a cost-effective holistic platform that delivers the roadmap.
GDPR has many aspects to it and genuinely does require (a) a broad range of solution capabilities to cover all aspects, and (b) their necessary interconnectedness. Working for SAP as I do, I am happy to see we have the unique breadth to offer this.
Good post but there are a couple of references to "March" (with one of them being the time bomb image) - are these typos, or am I missing something?
Definitely typos, Matt. Thanks for pointing them out.