GDPR isn’t just a new mandate, it’s a new normal
April showers bring May flowers. It also brings us GDPR. May 25 is the regulation’s official enactment date.
The General Data Protection Regulation 2016/679 (GDPR) is an EU regulation with worldwide implications. According to the regulation’s site, GDPR “applies to all companies processing and holding the personal data of subjects residing in the European Union (EU), regardless of the company’s location.”
Companies around the world are concerned about GDPR and rightfully so. GDPR comes with stiff fines and penalties for non-compliance and the regulatory burden on managing privacy data is only going to increase.
Where does your organization stand on data privacy and GDPR? Download our GDPR checklist to find out. However, this post isn’t about helping you become GDPR compliant. Alphabet, Google’s parent company, has been preparing for GDPR for 18 months. You can make inroads in a few weeks, but for the average mid-sized organization, becoming GDPR compliant by May 25 is impossible.
That’s why we encourage you to see GDPR not just as a mandate but also as a new normal, not only about compliance but more about governance. It’s corporate governance, the system of rules, practices, and processes by which a firm is directed and controlled, that’s in need of a data privacy makeover. Let’s get started.
Take inventory of stored customer and employee data
Conduct a top-to-bottom review of all collected customer and employee data. Catalog assets that contain privacy data such as names, addresses, birth dates — anything that could be used to identify a person. Review data collection processes, documenting steps, and identifying people with access to privacy data. How is the data stored? How do you handle permissions? Document your findings.
Perform risk assessments
Conduct risk assessments to identify risks to the company and their business criticality. For example, Cisco’s 2018 Privacy Maturity Benchmark Study of 2600 security professionals in 25 countries encompassing multiple industries found a correlation between data privacy and sales delays. Privacy-immature companies experienced an average of 16.8 weeks of sales delay compared to 3.4 weeks for privacy-mature companies. The inherent risk of a sales delay aggravated by data privacy is serious. Delays can cause customers to reconsider or switch providers.
Assess all business functions. Data privacy applies to every department, so it’s essential to understand how all players interact with customer and employee data. The assessment also applies externally. Assess third parties on their data privacy policies and procedures. As GRC 20/20’s Michael Rasmussen wrote in a recent blog:
“Third-party suppliers represent some of the weakest links to a company’s employee and customer data. More than 63 percent of data breaches can be attributed to third parties, but the organization is still accountable and liable for these breaches.”
Review policies and procedures
Analyze company policies and procedures for connections to employee and customer data. Update them to account for data privacy. Use gap analysis to identify new policies and procedures that need to be created. By linking the newly created to controls, it helps prove compliance with privacy data regulations.
Bottom line: take data privacy more seriously. It’s good for business. High profile data breaches have exposed the personal information of millions. Companies and consumers alike are on edge, making GDPR a watershed moment for data privacy. The organization that reflects a higher privacy maturity does a better job of protecting privacy data and preventing breaches. The Cisco privacy maturity benchmark survey confirms this:
“74 percent of privacy-immature organizations experienced losses of over $500,000 during the last year due to data breaches, compared to only 39 percent of privacy-mature organizations.”
The business case for maturing data privacy
Like it or not, GDPR will enact May 25. The good news, if you inventory your data, perform risk assessments, and review policies and procedures, you’re three-fifths of the way through our GDPR Checklist! More importantly, you’re taking steps toward addressing your organizations’ governance of data privacy. Why do it? It’s not just a mandate. It’s the new normal.
Learn about CIS’s first five controls and examine what each control addresses.
Learn about how privacy programs and the importance of being prepared for a breach.
Learn about the constant vigilance of continuous security monitoring.