As sure as the seasons are changing, the date for GDPR enforcement is on its way.
As a refresher, GDPR is being implemented by the EU to protect the personal data of EU citizens from data breaches and other forms of misuse, and to hold enterprises that control or process that data accountable for misuse that occurs through their negligence.
And whether you've been poring over the vast GDPR resources, or you've just been checking in now and again to see how the situation is unfolding, you're no doubt aware that if you're doing business with the EU in any capacity, when that May 25, 2018, enforcement date comes around you're going to want to be ready.
Before we dive in, it's important to note that this post doesn't serve as legal advice. If you'd like guidance on your company's specific circumstances, please consult your legal counsel.
Depending entirely on your IT setup, hitting some of the GDPR benchmarks might be a snap and require only a little retooling of your processes here and there. In other cases, they might require a significant re-architecting of your IT, especially if you have a system in place that was put together piecemeal over time without taking into consideration cybersecurity from the outset.
Just looking at the list of GDPR objectives and trying to figure out where to start can be a little intimidating, and can leave you wondering about specific terminology. So your best first step for determining the right course of action to take is to pursue a GDPR "gap analysis," which will determine where your system is succeeding in meeting GDPR benchmarks, and where there is work to be done.
There are organizations that provide full end-to-end analysis and provide reports on where your operations stand with respect to the regulation, as well as downloadable tools you can use to get started.
After you recognize where the gaps are, you can plan the necessary steps to reach full compliance.
GDPR compliance will not be a "set it and forget it" setup. Just as managing cybersecurity these days requires being constantly on top of the emerging threats and changing demands, staying GDPR compliant will mean revamping certain aspects of your operations to keep up with the regulatory demands.
That means taking steps such as:
Since meeting such demands could mean significant changes in the culture and even hiring practices of your company, it's worth thinking about this early – and taking it seriously!
One of your biggest concerns about GDPR compliance is no doubt the sizable fines attached to non-compliance. The fines have been structured so that companies cannot simply write off non-compliance as a business expense, meaning that they are sizable enough for a business to really want to avoid.
That said, taking a deep dive into the announced penalties for failure to comply with GDPR shows that, at the very least, you won't face a catastrophic fine for a first offense deemed "non-intentional non-compliance." For such a violation, businesses will receive only a written warning -- so that may reduce some of your anxieties if you are concerned about getting dinged for an honest oversight right when things are getting implemented.
However, beyond that initial warning, a violation may lead to:
From there, you reach the fines – which can number in the millions or even tens of millions depending on the severity of the infraction.
While in the rush to figure out how this new regulatory burden will impact how you do business, and to determine how it might put you at risk for fines, it's understandable that you might lose track of the considerable positive aspects of a rule like GDPR.
At the end of the day, GDPR exists to protect EU citizens from falling victim to cybercrime – an all-too-common thing in this day and age, and not just for people in the EU. And while it may seem a little odd to find oneself suddenly having to comply with regulations enacted by far-off political bodies, the intent behind the regulation is a sound one. Companies should take their customers' data privacy seriously, no matter what country they're in.
So while we've been talking about the impact that GDPR will have on you and your business operations, keep in mind that it will impact your customers by increasing their confidence and comfort with using your services, and their loyalty to your brand.
As a cloud-based solution that always keeps data security top-of-mind, SpringCM has been watching GDPR develop closely.
If you're interested in further understanding the details of GDPR's demands, their potential impact on businesses and how SpringCM is educating customers, download our whitepaper titled "GDPR: Securing Privacy."
Editor's Note: This post was originally published in November 2017. It has been updated for accuracy and comprehensiveness.