GDPR compliance: 4 ways new requirements for data privacy will impact operations
While the May 25 deadline for General Data Protection Act (GDPR) compliance has passed, many organizations are still shifting operations in this new era of data privacy. Despite the General Data Protection Act’s potential noncompliance penalties of up to and over 20 million euros, many organizations struggled to adapt their practices for the collection and processing of personal data. An April 2018 survey of over 1,000 organizations by Ponemon Institute found that almost 50 percent would not be fully compliant by May 25, including roughly 40 percent of tech industry respondents.
Despite lagging readiness, GDPR requirements are likely to have a lasting impact on data privacy from both the perspective of operations and consumer behavior. According to recent research by Gigya, 68 percent of people don’t trust brands to handle personal data appropriately. This means that for organizations that embrace transparent data collection and processing, there may be an opportunity to strengthen brand image and customer relationships.
While the full impact of the GDPR remains to be seen, there’s been an immediate shift in how not only European but also US operations must approach data privacy, processing, collection and product releases.
Here are four ways organizations can expect operations to change as a result of new privacy regulations:
1. Consumer Consent and GDPR Compliance
GDPR requirements shift the control of data into the hands of the consumer. Specific areas with operational impact include but aren’t limited to the following points:
- Consumers are required to clearly and freely opt-in via “a statement or a clear affirmative action.”
- Article 7(3) of the GDPR gives data subjects the right to easily withdraw consent at any time.
- Consumers have the right to request that data be erased (Article 17), to restrict data processing (Article 18) and to receive all personal data within the controller’s possession (Article 20).
For many enterprises, GDPR requirements to ensure that “consent is freely given” required the creation of a privacy impact assessment, updated consent processes and other operational adjustments. That said, this may also represent an opportunity for a cultural shift toward more transparency-based consumer interactions around data.
2. Data protection officers
While not all enterprises are required to appoint a data protection officer (DPO), it is required for firms who do “regular and systemic monitoring of data subjects on a large scale.” According to IAPP vice president of research and education Omer Tene, onboarding the estimated 75,000 DPOs needed in GDPR-impacted countries will require significant quality control and training. This includes 9,000 projected vacancies in the US.
3. Mandatory breach reporting
GDPR compliance carries a strict timeline for mandatory data breach disclosure. Article 33 dictates a 72-hour timeline for disclosing breaches of personal data to the authorities “without undue delay,” with rare exceptions. Meanwhile, it took the average organization 206 days to detect a data breach in 2017, according to Ponemon Institute — over 68 times longer than GDPR security requirements.
Mandatory reporting must not only disclose the incident but provide an estimate of impact, including the “approximate number of personal data records,” likely consequences and measures taken to control the incident.
For organizations that lack visibility into network security and operations, avoiding GDPR penalties will require the adoption of new technologies, processes and controls against security incidents. To meet reporting requirements, many must quickly embrace solutions for network visibility and security, third-party incident response partnerships and remediation planning.
4. Privacy by design and default
Article 25 requirements for security by design and default are likely to impact mobile-innovation teams. New product releases must meet technical standards such as the use of encryption and pseudonymization (Article 25). Embracing GDPR requirements for “security by design” requires executive endorsement as well as updated processes. Security by design is likely to begin in application architecture and span the testing and acceptance phases, necessitating new ways of working and new technologies for secure DevOps.
While meeting additional requirements could have an impact on strapped mobility teams, the benefits of secure innovation are clear. Ponemon and IBM studies reveal that the highest-performing brands embrace secure digital transformation from the top. Security and data privacy aren’t just tools for avoiding GDPR compliance penalties — they’re ultimately drivers for stronger consumer relationships, improved brand value and revenue growth.