GDPR is finally here, but the story doesn't end at the implementation date.
Regulatory compliance will be an ongoing journey, and questions remain as to how the regulation will be enforced.
Enza Iannopollo, a Forrester analyst on the Security and Risk team, tells Computerworld UK that companies need to shift from readiness to sustained compliance
"This is only the beginning of the story," says Iannopollo, a Certified Information Privacy Professional (CIPP/E). "We assume that it will be a work in progress, even for companies that might be ready today, because building compliance within processes and making sure you do that on an ongoing basis will always be partially a work in progress. We don't expect to see a final stage of compliance. That wouldn't work for this kind of world."
Many organisations are not yet compliant. Iannopollo advises them to focus on addressing their most high-risk data processing activities, which will usually involve sensitive personal information.
Consent strategies, data subject rights, and breach notifications will also need to be prioritised, as well as any large predictive analytics programmes with personally identifiable information and anything involving cloud.
Tracking systems for GDPR compliance
Old systems will need to be checked for compliance, while new ones should have data protection embedded in their design, advises Nigel Hawthorn, a data privacy expert at McAfee.
"The GDPR was not intended to be considered an add-on set of policies and procedures changing how data is handled," explains Hawthorn.
"Instead, all new systems must be designed from the ground up to take into account best practices for data minimisation, which is why, even on deadline day, many companies still aren't compliant.
"As of today, companies are required to notify a relevant data protection authority of any data breaches within 72 hours of discovery. To help reduce their risk, companies can restrict sensitive information to only managed devices, use behavioural analytics to detect any unusual activity, and must have plans in place to react quickly to correct any threats in the event of a breach."
Third parties can open up further risks.
"You need to understand the third party risk and what it means to sell or share data with third parties," says Iannopollo. "You need to understand that the way those third parties are complying with the GDPR will affect your own compliance, and you need to handle that risk systematically."
The data sprawl that builds up requires a long-term solution rather than a one-time clean up, as Daniel Mintz, chief data evangelist at Looker explains.
"Businesses need a single access point for their data, allowing them to see who has accessed it and what they've done, all in one centralised, managed and secure place," he says.
Once this is in place, all the data processing should be clearly documented. This will also help your case if you receive a visit from the regulators.
"Whatever work an organisation is doing to become compliant, that has to be documented," says Iannopollo. "This is the base of your evidence of compliance strategy, and if a regulator knocks on the door and says 'hey, I want to see how you're complying with the rules,' your documentation will be supporting evidence that some work has been done."
The GDPR carrot and stick
The eye-popping maximum fines for breaches have been the focus of headlines in GDPR reporting, but the penalties will ultimately depend on the nature of the breach.
Investigations will take time to complete, and organisations will have an opportunity to respond to any accusations, but fines will come eventually for major infringements.
"I think we are going to see enforcement action," says Iannopollo.
"I think the regulators will set a few examples to start with. They want to be perceived as strict with these rules."
She nonetheless prefers to focus on the business opportunities that GDPR brings. Companies can make data protection a business differentiator, and a way to gain the trust of their increasingly data-savvy customers.
The implementation date gives them a chance to reflect on the benefits of GDPR, says Joe Garber, global head of product marketing, information management & governance at Micro Focus
"Today we should consider the GDPR from a different angle and explore the opportunities it will bring to not only improve privacy and security, but also to help brands discover the real value of data," he suggests.
"For businesses, the GDPR is a fundamental step to ensure data is managed in a more holistic way, allowing them to gain a greater and more well-rounded view of the information they store. Once the correct processes have been deployed to organise this data and implement analytics tools - and the privacy requirements of the GDPR have been taken into account - useful and accurate insights can be gleaned – a benefit for organisations and consumers alike.
"Businesses will be able to use customer insights and ultimately grow their business in a way that would not have been possible before. And, as a consumer, I am looking forward to what the GDPR can do for me as an individual, protecting my personal data in a time of severe mistrust around data sharing and use."