Now that GDPR is here, what does it mean?
Realistically, despite it having now gone into effect, there will still be plenty of entities that drag their feet on GDPR compliance. For some, rolling the dice on avoiding a breach would seem like a preferable option to overhauling their policies to implement the new regulations. If you don’t get breached, you don’t get penalized, right? At least, such is the rationale.
I would say gambling on completely escaping the wide net of cyber criminals sounds foolish, however.
One requirement of GDPR, after all, is that an organization must provide notification of a breach within 72 hours of discovery. This is an unprecedented timeline. Compare to this Ponemon’s 2017 report, which states that breach detection generally takes 191 days, and a further 66 days to contain the incident. Clearly, GDPR is a massive accelerant. Simply waiting until the last possible minute is just setting oneself up to fail, even if it provides some short term financial relief.
Regardless, many people have been receiving emails lately, alerting them to GDPR implementation. Some companies seem oddly misinformed. I’ve heard of automatic PR notifications to the effect of “if you want to keep receiving emails, you don’t have to do anything,” which…isn’t how this works. The new rules stipulate that organizations have to gain explicit consent from people to opt-in, not wait for them to manually opt-out before stopping. If they are concerned that people will, in fact, opt-out, well, that’s kind of the point of compliance. Giving people better, more granular control over their data, holding companies accountable when handling this data—these are the goals. They apply to businesses of all sizes, from large to small.
Of course, small to midsize firms might be worried about the costs involved with GDPR. Responsible data collection can be of assistance here. Steps to take include examining your current collection policies, whether you truly need all the data you’re keeping, and making your processes clear and open to both employees and consumers, while responding to any data requests they might submit. Evaluating your data breach response policies in similar fashion is also highly advisable.
There will, early on, be mistakes. The company behind the Ghostery browser and ad-blocker, in sending out GDPR emails to users, accidentally included other people’s email addresses. Obviously, not a great start. Leaving aside the irony of trying to comply with GDPR leading to a violation, companies can’t be deterred from adapting to the new regulations, even if they experience a few hiccups along the way.