GDPR's got 99 articles, and security's just one.
Article 32, to be exact. The "security of processing" section calls for companies to take scope of data processing and risk, conduct a security assessment and execute a compliance strategy.
The other 98 articles largely pertain to something only mentioned once in a single footnote in the regulation's text: privacy. Despite the clear terminology of "data protection" throughout, GDPR is widely recognized as an update to and harmonizer of data privacy rules.
Regulators didn't lay out specific process for companies to implement, but they did lay out the goals. With the regulation in effect, regulators have multiple ways of pursuing companies that failed to comply, though the subjective and complicated execution of fines means no two verdicts may be alike.
But sufficient privacy in light of compliance is no easy feat for the enterprise. Companies implementing a privacy program across business departments are faced with a "death by a thousand cuts," according to Blake Brannon, VP of products at OneTrust, speaking at the Gartner Security and Risk Management Summit in National Harbor, Maryland earlier this week.
Leading up to May 25 deadline, many companies instituted a superficial fix for GDPR by updating the privacy policy for customers without laying the groundwork to carry out new functions like data subject requests or data deletion. But when it comes to changing privacy and processes in an organization, the outward-facing policy is often the last step.
In the scheme of enforcement priorities, companies first had to figure out whether or not to hire a DPO, set up data inventory and mapping, conduct gap analysis and set up an action plan, according to Brannon. Then the focus turned to security, documentation, a lawful basis for processing and, as one of the last steps, a new privacy notice for transparency for data subjects.
Anywhere from half to two-thirds of companies are not compliant, even after the deadline. But even with some leniency during the initial period, if regulators come knocking companies need to be able show "defensible" and "demonstrable" compliance through processing activities records and contracts, said Hugo Teufel III, chief privacy counsel at Raytheon, speaking at the Summit.
There are two main avenues by which regulators will begin looking into a company, according to Brannon:
-
If there is suspicion that a company is not conforming to the new regulation, a data protection authority will assess the case.
-
If citizens who believe their data subject rights were violated go to a court or contact a national data protection authority.
Companies found in violation of compliance can face monetary or other types of penalties. Fines up to 4% of global annual revenue or about $24 million (whichever is higher) will be levied for upper level infractions while fines up to 2% or $12 million are reserved for lower level violations.
A big misconception of GDPR is that the regulators' intent is to heavily punish and fine companies, when in practice fines and other forms of penalty will be calculated from a variety of factors, according to Brannon. These factors include:
-
Nature of infringement
-
Mitigation of damage
-
Company's history of infringement
-
Type of data involved
-
Certifications
-
Result of intent or neglect
-
Preventative measures
-
Cooperation with supervisory authorities
-
Notification
The prospect of these fines garnered a lot of worry, but it may take a while before such large penalties are handed down, according to Teufel. Companies with the means will likely hire outside counsel and challenge the fines in member state courts or the Court of Justice of the European Union.
"The regulators are pretty smart and they understand this," said Teufel. "If they're going to go after somebody with a hammer that big, they're going to want to be able to demonstrate that there have been chronic and acute problems with this particular company in complying with the GDPR. They're going to want to build a record before."
