There are a little less than 260 working days between now and when the European Union is expected to implement a General Data Protection Rule (GDPR) that among other things fines companies up to 20 million euros or 4 percent of their revenues for willful non-compliance. The rule is scheduled to take effect May 25, 2018, but a new survey of 225 senior IT security executives in the U.S. and United Kingdom conducted by Guidance Software, a provider of security forensics tools, suggests that as many as a quarter of companies will not be able to meet that deadline. In fact, the survey finds that only 16 percent of the respondents are in an advanced state of GDPR planning.
IT service providers can infer from those results that there will be a sharp spike in demand for GDPR expertise toward the end of the year. On one level, that’s good news. But it also means the number of customers simultaneously clamoring for GDPR help is likely to overwhelm the available supply. IT service providers would be well advised to make the case to customers today for implementing a GDPR transition plan while there are still resources available.
Lingering data management issues
The survey finds that larger companies are further along. Over two-fifths (43 percent) of organizations with $1 billion or more in revenues currently have processes that can identify data records of any EU citizen and determine where that data is being processed. In contrast, only 27 percent for organizations with less than $100 million in sales have these processes in place.
Overall, more than half of companies surveyed have not yet begun to evaluate third-party products or the processes required to identify data records of EU citizens. Other areas where additional focus is needed include:
- Use/policies/procedures for the anonymization and de-identification of personal data (25 percent)
- Conducting a full audit of EU personal data manifestation (23 percent)
- Usage of cloud repositories that comply with EU encryption in the U.S. (21 percent)
- Evaluating all third-party operational partners that access personal data transfers (21 percent)
IT service providers are clearly going to be asked to provide expertise that goes well beyond simply protecting data. But it’s not clear to what degree IT service providers could price each of these services separately. Most organizations don’t have any previous experience to guide them in terms of contracting these types of services.
Getting serious about GDPR
The good news is many organizations are about to get much more serious about data management. The truth is most organizations would not receive a Good Housekeeping Seal of Approval for the way they manage their data. In effect, GDPR requires organizations to review their entire approach to data management.
GDPR also requires organizations to appoint a chief data protection officer. That may be just another role an existing executive assumes. But the survey did find that recruiting and training a qualified Data Protection Officer is a high priority for 24 percent of respondents. Another 18 percent named it a medium priority, while 15 percent said it was a low priority.
Unfortunately, there are still many business and IT executives in the U.S. that don’t realize the extent to which GDPR will apply to U.S. companies that process transactions involving citizens of the EU. Once the first few fines are levied by the EU, though, there won’t be a business or IT executive anywhere in the world that didn’t get the message.