In May of 2018, Europe’s General Data Protection Regulation (“GDPR”) will take effect throughout the European Union. While this advance date may seem far off now, the work ahead of companies dealing in international data exchange is substantial, and the clock is already ticking.
This broad legislation will set data protection standards for the EU and brings with it significant consequences for companies that engage in the trade of information and commerce across the Atlantic and the globe. The GDPR is pushing a sea-change in international privacy law as countries work to reduce compliance risk on transborder data transfers from the EU by rolling out legislation designed to be “adequate” under EU law.
The sweeping legislation changes are accompanied by very real consequences. A new driver behind the flurry of compliance activities among companies with business in Europe is the possibility that fines that could reach 4% of global annual revenue for an entire conglomerate. To understand the risk exposure, companies are currently in the process of assessing their compliance with the upcoming regulation in light of the potential maximum exposure.
Surveys Indicate Companies Lacking in Confidence, Under When it Comes to GDPR
In a global survey (sponsored by Dell) of 821 individuals from large companies with more than 10% of their customers in Europe, only one in three companies are prepared for GDPR today, and 97% don’t have a plan to prepare for GDPR as of the survey date - September 2016.
Just within the UK, France, and Germany, 91% of respondents to a State of European Data Privacy Survey from Symantec expressed concerns about the ability to comply, but only 22% prioritize compliance in the next two years. Kevin Isaac, SVP at Symantec, has expressed his thoughts that companies, in regards to this survey, are underprepared – and underpreparing:
"There is a significant disconnect between how important privacy and security is for consumers, and its priority for businesses. The good news is there’s still time to remedy the situation – if firms take immediate action."
In a Baker & McKenzie report comprising the results of a survey of privacy professionals at the IAPP Global Privacy Summit 2016, 80% of the respondents felt they understood the major requirements of the GDPR, and 84% anticipated GDPR would impact their organization - but nearly half of respondents indicated they don’t have the tools to ensure compliance, or could only purchase the needed tools at significant cost. In fact, around 70% of the respondents anticipated additional budget or effort will be needed to comply with the new requirements by investing in tools.
Preparing for GDPR by Implementing Automation in Incident Response Today
Companies using automation tools in incident response for HIPAA, GLBA, and state breach law compliance today are already reducing risk exposure, saving time, and preparing staff and systems for the GDPR. This is because these data breach laws have certain commonalities when it comes to requirements around compliance. Across jurisdictions, companies are commonly required to:
- Assess incidents and notify of breaches under law and contract
- Implement privacy and security incident management processes
- Continually monitor an organization’s compliance
- Implement and administer a privacy program
- Track processing activities, agreements with sub-processors who process data, and record how and why
- Train staff on privacy and security compliance
Automation and the use of innovative technology to bring simplicity and consistency to incident response will be critical to staying on top of the changing - and increasingly stringent - requirements above. For instance, the GDPR’s 72-hour breach notification rule doesn’t provide ample time for a manual assessment process. Automated assessments and integrated compliance systems allow an organization to be able to respond to every detected incident within the allotted time.
Learn how automation can help address data privacy concerns in the EU today, and how RADAR is uniquely positioned to provide consistent and scalable decision –support guidance for compliance with new and emerging data protection laws in Europe.