It seems everywhere you look, the talk about GDPR is designed to scare you into action. Fear, uncertainty, and doubt (FUD) are powerful motivators. Probably the scariest thing of all: the potential fines. GDPR, on paper, allows for fines of up to €20 million ($24.5 million) or 4% of a company's global annual revenue.
If you applied that to a 2015 breach at Hilton (who was fined a paltry $700,000 for their “lax security practices”) they would have paid $420 million had the full force of GDPR been brought down.
That’s a boatload of cash, and definitely scary, but dolling out multi-million-dollar fines isn’t really the intent of GDPR. Elizabeth Denham, UK Information Commissioner, recently wrote that GDPR is less about fines and more about “putting the consumer and citizen first.”
“Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point,” she added. “(It’s) scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.”
In fact, Denham says that there were more than 17,000 cases in front of ICO last year and just 16 of them resulted in any fine at all. And the combined value of those 16 fines? Just under £5 million ($7 million).
Of course, the purpose of fines is to incentivize a behavior. The incentive for GDPR is to force companies to take a consumer-first approach to data and security, and leading companies are starting to get ahead of GDPR.
Here’s a quick list of some of what we see happening and how it may impact you.
Take some tips from Amazon
Nearly a year ago, Amazon posted details of their initiatives designed to help their AWS customers comply with GDPR. The biggest point was revising their Data Processing Agreement to meet the requirements of GDPR. And, to educate their customers, they created a dedicated EU Data Protection microsite.
What does this mean for you? If you provide data services, you’re probably already getting GDPR questions from your customers. Be proactive and help them understand what you’re doing to help their GDPR compliance, and double-down on your efforts to protect that data from a breach.
If you have anything in the cloud (and these days, nearly everyone does), start asking your vendors questions about their own GDPR compliance as well as about the data they store and process for you. Also ask them if they’re doing everything they can to identify potential vulnerabilities that may compromise your data (which, in the world of GDPR, is technically owned by your customers).
Know what data you have and where it’s stored
A recent study by Silwood Technology, an enterprise software vendor, found that the typical enterprise has more GDPR-relevant data in more places than they probably imagine. In looking at just three data points — date of birth, social security number, and tax identification number — they found personally identifiable information (PII) in more than a thousand different SAP, JD Edwards, Microsoft Dynamics, Oracle, and Siebel tables scattered across clouds and company servers.
Since GDPR forces companies to track, enable access to, and delete a consumer’s data, they first need to know where that data is stored. Not only could these data portability and right to be forgotten issues force major development and process changes, they require you to know where all collected data is so that you can eventually find, provide, and delete it.
What does this mean for you? Start cataloging not only the data you collect but the data you already have. Further ensure that all data resides in secured locations to prevent the possibility of a breach. Since GDPR compels you to delete PII data for an individual, and if they eventually find that you did not, well then, just refer to the scary articles above.
Get creative to make up for a lack of time and resources
A survey of 4,000 startups across the U.S and Europe found that their “average GDPR-readiness score” was just 4.1 out of 10. Not good. What’s worse is 90% of these startups say they are collecting PII, yet around two-thirds of them don’t encrypt the data nor do they have a data breach notification plan.
What does this mean for you? As far as we know, GDPR has no provision for leniency towards those who didn’t have the time or resources to comply. Sorry. What we do know is that cost-effective tactics, like vulnerability disclosure policies and bug bounty programs, can be used by any size organization with any size budget.
Learn more, do more
As mentioned at the beginning, there has been a flood of content focused on GDPR, much of it designed to scare you into action. We aim to be a bit more practical, so here’s a list of resources we’ve created that may be helpful to you:
Look at your recent bug triage history to determine how many could have caused GDPR compliance issues. Our informal research, along with information from our customer LocalTapiola, found that up to 25% of bugs can impact customer data.
Follow the 12 step plan outlined by the United Kingdom’s Information Commissioner’s Office (ICO) to get ahead of GDPR.
If you’re thinking, “What’s the least I can do on GDPR?”, you’re in luck. Our Q&A with cybersecurity consultant Jane Frankland covers her GDPR “Minimalist Guide” as well as why she thinks GDPR can be a spark for your brand’s growth.
For developers, we co-produced an ebook with Assembla to help organizations prepare for GDPR by shifting security to the left in their development cycle.
Specifically related to your security apparatus, we recently looked at clauses within GDPR that directly impact security efforts such as the GDPR requirement to designate a Data Protection Officer (DPO).
Our upcoming webinar on March 20th with data privacy and security expert, Debra Farber, will cover all the details you need to know about the Data Protection Officer, and its role in GDPR.
We’ve had lots of interest (with over 200 signed up thus far) but seats are limited so register today to reserve your seat.