It's always tempting to put off till tomorrow what could be done today—especially if there are several years between now and the time that a goal needs to be accomplished.
Such is the case with the upcoming European Union General Data Protection Regulation (GDPR) compliance deadline on May 25, 2018, when regulators will begin to issue fines to companies not abiding by the regulation's vast new privacy and security requirements.
"It is like a truck fast approaching us," says Ann LaFrance, partner and coleader of Squire Patton Boggs' Data Privacy and Cybersecurity practice. "We're getting an avalanche now of interest and requests for proposals, and clients are really now starting to focus on this. Why they waited till the last six months? Who knows. But at least they are now seriously starting to focus."
The GDPR was first drafted in 2012 as part of the EU's push for a Digital Single Market. The regulation lays out the rights EU citizens have in regard to their personal data and how data controllers and processors respect those rights. The regulation guarantees EU citizens the right to be forgotten, easier access to personal data, data portability, data breach requirements, data protection by design and default, and stronger enforcement of those requirements.
The EU Parliament approved the regulation in April 2016, and Jan Philipp Albrecht—who steered the legislation through—called it a victory for consumers and businesses alike.
"The General Data Protection Regulation makes a high-uniform level of data protection throughout the EU a reality," he said in a statement. "Citizens will be able to decide for themselves which personal information they want to share. The regulation will also create clarity for businesses by establishing a single law across the EU. The new law creates confidence, legal certainty, and fairer competition."
Organizations that conduct business in Europe were given a little more than two years to become compliant with the new regulation, before fines of up to 4 percent of global turnover kick in. During that window, the Article 29 Working Party—as well as other advisory bodies—have issued guidance about how to implement GDPR. On May 25, the working party will be succeeded by the European Data Protection Board (EDPB) to ensure that GDPR is consistently applied throughout the EU.
"To achieve this, the EDPB will be empowered to issue opinions or authorizations regarding a variety of matters, such as Binding Corporate Rules, certification criteria, and codes of conduct used by companies; to adopt binding decisions, especially to ensure consistency between supervisory authorities; and to issue opinions and guidance on relevant issues concerning the interpretation and application of the GDPR," according to a fact sheet.
And while organizations have had two years to come into compliance, LaFrance says she is doubtful that most companies will be fully compliant by the deadline.
One reason is that many businesses may wrongly assume that the GDPR does not apply to them because they're not based in Europe. Others, LaFrance says, do not understand the scope of GDPR and are struggling to become compliant.
"The problem is there's cognitive dissonance about what GDPR is all about," she explains. Non-EU based companies "think that it's mainly about IT security, IT systems, and security around them, and in fact that's only one piece of the overall pie."
Instead, GDPR cuts to the heart of what those systems do—store and transfer data—and requires organizations to integrate privacy and security into their overall business processes. For instance, GDPR requires organizations to map their data and how it's collected.
"This is a very expensive exercise these companies are going to have to go through, and they don't really understand before they get started the breadth of the task ahead of them," LaFrance says. "So, when they hire you and you start telling them this, there's an 'OMG' moment."
Because of these factors, LaFrance says some small businesses with less data might be compliant by the deadline, but most organizations will not be. Companies will also have to reassess their third-party vendors to ensure agreements with them are GDPR compliant, which can be a time-consuming process.
"The normal company will have 20 or 30 outsourcing agreements," LaFrance says. "And you've got to go through and renegotiate all of those agreements so that they are GDPR compliant. It's a huge task. And it could be very expensive because the counter party might say, 'Yeah, we'll sign up for that but it's going to cost you more.'"
And in fact, companies are expecting to spend billions on GDPR compliance over the next year, according to the International Association of Privacy Professionals (IAPP) Annual Privacy Governance Report.
The report—sponsored by Ernst & Young—surveys roughly 600 privacy professionals about their size of staff, priorities, and expenditures for the year. In the 2017 survey, IAPP Content Director Sam Pfeifle says respondents indicated that the global 500 will spend $7.8 billion on GDPR compliance out of a combined annual revenue of $26 trillion.
"It's not a huge number—we're not trying to say this is equivalent to Sarbanes Oxley," Pfeifle says, but he adds that it is a massive increase from 2001 when IAPP was created and organizations were only spending millions on privacy.
"It wasn't a thing unless you were in the healthcare space or in financial services," he adds. And typically, these organizations had a small department that was compliance focused and working with development teams at the later stages of development.
"It was really just people bringing you something at the end of the product development lifecycle and asking: 'Is this legal?'" he says. "You'd say, 'Yeah, it's legal.' You'd check the box and off you'd go."
GDPR, on the other hand, requires that privacy and security be built into all business processes. To do this, companies are spending in a variety of ways, including adjusting the products and services they deliver.
For instance, Pfeifle gives the example of checking into a hotel and signing up for complimentary Wi-Fi. In the past, when guests would go through that process they would fill out a form that had a prechecked box indicating they wanted to receive promotional emails from the hotel. They would have to opt-out not to receive those emails.
"In the GDPR, you have privacy by default," Pfeifle says. "Which means that you cannot precheck those boxes. So, someone is going to have to go and recode that page to make it so that box is not prechecked."
For smaller companies, that could be a low spend, but for large corporations that are consumer facing—like Amazon—that could be vastly more expensive.
The other areas that organizations are spending on to become GDPR compliant include staffing, such as internal staff to conduct privacy impact assessments, and outside counsel and consultants that specialize in privacy and privacy management technology.
"We're now seeing software packages that are specifically designed for managing privacy impact assessments—you can assign tasks, you can do reporting, you can have threat dashboards," Pfeifle says. "A lot of them mimic security management software."
These efforts are helping organizations move towards compliance, which is critical: only 40 percent of those surveyed by IAPP said they expected to be compliant with GDPR by the deadline.
"More important than being compliant is being able to demonstrate that you're making the attempt," Pfeifle says. "If a regulator showed up at your door and said, 'Show us you are compliant with the GDPR,' how would you do that? That's what the GDPR asks you to do."
LaFrance's views mirror Pfeifle's, because—in her opinion—regulators will be looking for organizations to make a good faith effort towards compliance.
"For the most part, if you've made a good faith effort to get a plan in place and you've taken the steps that you can between now and May to really get the ship moving in the right direction with a plan to sort things out by the end of the year, you'll be given a good pat on the back by any regulator that is going to do a spot audit of your records," she explains.
Some companies, however, might face more scrutiny after the deadline than others, such as those that are consumer facing and, if compromised, could create significant legal or economic consequences for consumers.
"I think they'll also consider whether there have been complaints by individuals or if there have been a number of reported data breaches," LaFrance says. "Regulators might look then to see if there have been lots of repeat offenders, and then go and do an audit. I imagine they will try to start with the obvious."