EU GDPR: A bogeyman for scaring top management?

EU GDPR: A bogeyman for scaring top management?

Foto: Stanko Cerin

by Stanko Cerin

Upcoming EU data protection regulation aims to finally put in order massive misuse of personal data. What it brings is putting people in control over their personal data. This is exercising one of the fundamental human rights – a right to privacy. Great and noble goal.

To achieve it, European parliament and the Council of the European union created GDPR (General Data Protection Regulation) Directive which caused huge interest on a global scale.

Huge penalties for offenders

“Jurisdiction” has been extended outside EU borders. It comes with number of straight forward requirements such as “right to be forgotten” and several concrete requirements aimed to ensure adequate level of personal data quality and security. All organizations having EU citizens’ personal data must comply, no matter where they are located. Bigger than ever enforcement power is enabled through ability to impose penalties up to 20 million euros or 4% of the global revenue, whichever is bigger!

Huge penalties provide high level of confidence that, for the first-time, EU privacy regulation will be taken seriously.

An atmosphere of hesitation and uncertainty

Huge penalties turned into business opportunity for IT vendors, business and legal consulting companies offering GDPR solutions and services. There’s no doubt that everyone dealing with personal data must do something, but what? In some cases, change in IT systems can be so complex that implementation deadline in 2018 is just unrealistic.

Quick Google search for “GDPR” currently finds more than 1 million pages, most of them offering some kind of GDPR solution. All that marketing power employed to sell these solutions, combined with a fear of huge penalties, created atmosphere of hesitation and uncertainty. Last time we witnessed similar atmosphere was in 1999, when organizations were scared by a famous "Millennium bug" predicted to cause devastating computer glitches on midnight between December 31st 1999 and January 1st 2000.

Who’s going to pay the fine?

Penalties are for those who don’t comply, but the main question remains - what an organization must do to be fined with 20 million euros?! The truth is, privacy regulation exits already and most organizations are already taking personal data seriously. Yes, there are some organizations building their business models on selling personal data, stealing confidential information or doing other nasty things, but they are already breaking the law or at least do their business in some dark-grey zone. Massive punishments are for such businesses. I’m sure we can agree, they deserve it.

Per informal interpretations leaking from EU privacy regulation bodies, GDPR regulated organization will first be warned for non-compliance, get a deadline to make things right, while fines will be only used as a last resort if nothing else works. Amount of fine is expected to be proportional with the significance of the offence.  In short, to get the maximum fine, an organization should massively and on purpose neglect not only GDPR requirements, but also information security best practices and intentionally cause a massive personal data leakage with big impact to data owners - EU citizens.

What are companies supposed to do?

Position yourself - you are already partially compliant with GDPR requirements. Find out how much, what are your strengths and weaknesses in personal data management.

Prepare the GDPR program – Identify what kind of personal data you have, how do you collect it, where do you keep it, how it is protected, as well as how and why do you use it. Establish your personal data information asset register. Assess the potential impact of personal data disclosure for each system and identify the gaps between the current state and the one required by the GDPR. Once you start the project you will realize that even identifying what personal data is, and under what circumstances, can be a challenge by itself, not to mention finding personal data across IT systems and designing required changes. You will need an experienced team to do that. Consider finding external consultants including privacy lawyers, information security and IT experts.  Identify similar projects (i.e. data governance, ISMS etc…) and make sure they work together so you can come up with a detail plan – a GDPR program. Then execute it.

Instead of the conclusion

Organizations will eventually have to comply, but process of aligning existing personal data management practices with new regulation will take years and will highly depend on building personal data importance awareness among general population, and among organizations. To reach adequate level of privacy protection maturity, human society must widely adopt knowledge about personal rights and organizations’ obligations to protect them, secure usage of privacy information and much more. GDPR is good for all of us.

Stanko Cerin, http://www.ostendogroup.com/

More from category

PC Shipments Expected to Decline 9.5 Percent in 2022

PC Shipments Expected to Decline 9.5 Percent in 2022

4 Jul 2022 comment

Worldwide PC shipments are on pace to decline 9.5% in 2022, according to the latest forecast from Gartner.

5G to top 570 Million Subscriptions in Southeast Asia and Oceania in 2027

5G to top 570 Million Subscriptions in Southeast Asia and Oceania in 2027

3 Jul 2022 comment

5G subscriptions in Southeast Asia and Oceania are expected to more than double in 2022 from around 15 million at the end of 2021.

Spending on Compute and Storage Infrastructure Grew Strongly in 1Q22

Spending on Compute and Storage Infrastructure Grew Strongly in 1Q22

1 Jul 2022 comment

Spending on compute and storage infrastructure products for cloud deployments, including dedicated and shared environments, increased 17.2% year over year in the first quarter of 2022 (1Q22) to $18.3 billion, according to IDC.