GDPR Deadline Is Here: Are You Ready?

Ready or not, the dreaded deadline for compliance with the EU’s daunting General Data Protection Regulation (GDPR) is here.

According to a recent survey of more than 300 C-level security executives by Netsparker, companies are taking GDPR very seriously. While many still aren’t compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), almost all (99 percent) of the executives surveyed said their organizations were actively involved in the process to become GDPR-compliant. Additionally:

Netsparker’s Ferruh Mavituna

Ferruh Mavituna, Netsparker’s CEO, tells Channel Partners there will be many who will not be completely compliant by the deadline, but “it’s not like GDPR is knocking doors and checking compliance.”

“Similar to PCI (Payment Card Industry Data Security Standard) or insurance, unless an issue arises, many details of GDPR compliance will not be scrutinized,” he said. “I’m pretty sure there won’t be an additional deadline; however, GDPR will be a soft launch, and they already said that they will warn first and take actions later. So companies will be warned before fined unless there is obvious abuse.”

Tim Vogel, Evolve IP‘s vice president of compliance and security, tells Channel Partners the first item data-protection authorities (DPAs) will focus on will be breach notification.

“They seem to be greatly concerned with this area,” he said. “Companies should make sure they have a defined and tested process in order to comply within the 72-hour (notification) requirement. Even if a company cannot identify specific subjects that may have been impacted by a breach, it will be better to notify their DPA of the occurrence and let them know that additional investigation is happening rather than say they are waiting until all the facts are known.”

Evolve IP’s Tim Vogel

If an organization hasn’t reached compliance, it’s important to “make sure you have a program in place and are showing progress towards compliance, even if you won’t be finished prior to the deadline,” Vogel said.

“Eighty or 90 percent of the way is much better than trying to wait until everything is perfect,” he said. “It took Evolve IP, Evolve IP EU, and Evolve IP UK about a year to get to the position of being ready for GDPR.”

Becoming compliant is not something that you can pay for, but it is a process that your team must work on, Mavituna said.

“Most of the tasks can only be done manually, and by people who are familiar with the system, such as documenting and evaluating all existing processes and modifying/fixing when something needs to be changed,” he said. The only way to speed up the process of becoming GDPR compliant is to …

… dedicate more resources to it, and in this case, we are talking about (people).”

For many companies, the “breadth of policies, processes and technical security controls” required often appears daunting, Vogel said.

“Outsourcing components of their infrastructure to IT channel partners who have already achieved compliance can greatly reduce the burden on an organization trying to tackle everything themselves,” he said.

One way to help keep costs under control is to work with partners that have “robust compliance programs and a good understanding of the GDPR requirements so that the necessary integration is easier for all involved,” Vogel said.

Being compliant requires a lot of effort and costs a lot of money, hence why many businesses to this day do not really do much in terms of compliance and manage to fly under the radar for years, Mavituna said.

“Yet it seems with GDPR we have a different story,” he said. “I was quite impressed to see that most businesses will be GDPR compliant by the deadline. That is not something you see every day.”

GDPR will definitely have financial repercussions for companies operating and serving users within Europe, said Gil Regev, RGK Mobile‘s chief communications officer.

“From online banking and insurance companies to mobile-commerce providers and social networks, they will all need to inform users of their data-collection and maintenance practices and receive explicit approval from users,” he said. “This could mean that millions of current users not checking all their emails or those who block pop-ups could miss these alerts, potentially forcing a vendor to block or remove accounts from its database. The consequences here could reach far beyond what the EU has signed up for and the room for compliance interpretation is in dire need of clarification.”