GDPR Deadline Is Here: Are You Ready?
Ready or not, the dreaded deadline for compliance with the EU’s daunting General Data Protection Regulation (GDPR) is here.
According to a recent survey of more than 300 C-level security executives by Netsparker, companies are taking GDPR very seriously. While many still aren’t compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), almost all (99 percent) of the executives surveyed said their organizations were actively involved in the process to become GDPR-compliant. Additionally:
- About half were 75 percent of the way through the process.
- Another 37 percent were halfway there.
- More than two-thirds were confident that they’ll be fully compliant by the deadline.
- Only 2 percent said it’s unlikely that would be ready.
Ferruh Mavituna, Netsparker’s CEO, tells Channel Partners there will be many who will not be completely compliant by the deadline, but “it’s not like GDPR is knocking doors and checking compliance.”
“Similar to PCI (Payment Card Industry Data Security Standard) or insurance, unless an issue arises, many details of GDPR compliance will not be scrutinized,” he said. “I’m pretty sure there won’t be an additional deadline; however, GDPR will be a soft launch, and they already said that they will warn first and take actions later. So companies will be warned before fined unless there is obvious abuse.”
Tim Vogel, Evolve IP‘s vice president of compliance and security, tells Channel Partners the first item data-protection authorities (DPAs) will focus on will be breach notification.
“They seem to be greatly concerned with this area,” he said. “Companies should make sure they have a defined and tested process in order to comply within the 72-hour (notification) requirement. Even if a company cannot identify specific subjects that may have been impacted by a breach, it will be better to notify their DPA of the occurrence and let them know that additional investigation is happening rather than say they are waiting until all the facts are known.”
If an organization hasn’t reached compliance, it’s important to “make sure you have a program in place and are showing progress towards compliance, even if you won’t be finished prior to the deadline,” Vogel said.
“Eighty or 90 percent of the way is much better than trying to wait until everything is perfect,” he said. “It took Evolve IP, Evolve IP EU, and Evolve IP UK about a year to get to the position of being ready for GDPR.”
Becoming compliant is not something that you can pay for, but it is a process that your team must work on, Mavituna said.
“Most of the tasks can only be done manually, and by people who are familiar with the system, such as documenting and evaluating all existing processes and modifying/fixing when something needs to be changed,” he said. The only way to speed up the process of becoming GDPR compliant is to …
- Page 1
- Page 2
When I read articles like this i have to shake my head. Did you in this survey ask how many have and will deliver Indirect Identifiers? If so and of honest 95% or great will say, What is that? I wonder if in these surveys a list of questions asking specifically what and how they are accomplishing discovery/encryption, Consent communications and documents, true erasure of all data when requested, how they are handling emails and unstructured data, all just to name a few. Are they centralizing their data to do these processes? if not how can they be doing relationships, correlations of data across databases and operating environments?
Not being an ass here – this is just the reality and I am finding the studies and surveys stating 93% or greater are not ready, is a more realistic article to write.