The European Union’s General Data Protection Regulation (GDPR) is a regulatory change so expansive that many of you are struggling to get your head around it. The privacy-minded GDPR aims to protect consumers’ personally identifiable information – and as such, it touches myriad aspects of how companies collect and store data, as well as how they share data with partners, subcontractors, and even cloud providers. While the rules go into effect on May 25, Gartner predicts that 50 percent of organizations will not be in full compliance at that time. If you’re concerned about where to focus your energy as an IT leader with regard to GDPR, you’re not alone.
[ See our related story: What is GDPR? 8 things leaders should know. ]
As the May 25 deadline approaches, we talked to a few experts about the top pain points for U.S. organizations, short- and long-term. We also explored what aspects of GDPR you should worry less – and more – about. Consider their practical advice:
What is the top pain point for U.S. organizations immediately after the GDPR May 25 date goes into effect?
Knowing where cloud services hold your data:
Says Peter Martini, president and co-founder, iboss: “The main pain point for U.S. organizations after May 25 will be the ability to understand and control where their cloud services are storing their data. Many organizations don’t realize, even if their internal infrastructure is compliant, as soon as they upload their data to a monolithic cloud service they are putting GDPR compliance at risk. U.S. organizations need to take a critical look at their cloud services and identify services that provide control and insight into the location of their data.”
Managing EU locations:
Says James Stickland, CEO, Veridium: “One top pain point will be international organizations managing their European locations. They will have to be on top of the process. Having an HQ in the U.S. but running regional arms doesn’t exclude you from participation, so vigilance and adherence will be key here. Otherwise, enterprises could find [themselves] wide open... I would ensure companies have their data privilege teams in check and are reporting on a weekly to monthly basis.”
Data subject access requests:
Says Simon Langton, VP of Professional Services, Avecto: “Data subject access requests will be the top pain point associated with GDPR. There’s often an uptick in the number of requests to exercise a right when that right is first given – we’ll see something similar with GDPR. Citizens will be looking to exercise their right to ask companies what data they hold about them. The pain point here is the time and effort involved in servicing these requests, rather than what the data is once it’s handed over.”
Understanding what's within GDPR's scope:
Says Mayank Choudhary, vice president, ObserveIT: “The biggest pain point for U.S. organizations is how to best understand which users and data flows are in scope for GDPR. Organizations might have users segmented into specific compliance groups, and they might even understand where some of this data resides or how it moves. However, they will still need to integrate additional technologies and processes that can monitor for in-scope and out-of-scope data flows on endpoint systems where users directly interact with data.”
What do you see as the biggest pain point long-term?
Data breach disclosure requirements:
Says Peter Martini, president and co-founder, iboss: “GDPR requires companies to alert customers who were subject to a personal data breach within 72 hours of learning of the compromising incident. As we’ve seen in the past, breaches are very complex, and attackers typically go to great lengths to obfuscate the damage. Organizations will be hard-tasked to fully investigate a breach in 72 hours and will often face the difficult task of multiple rounds of disclosure as new information becomes available.”
Says James Stickland, CEO, Veridium: “The biggest pain point is the removal of data. Using data can be easily managed by acceptance from the user. However, most companies are not geared up to remove and confirm complete removals of data as it resides in many locations. Ensuring a complete data picture is essential for success, not to mention how you secure is even more important.”
Associated culture change:
Says Simon Langton, VP of Professional Services, Avecto: “GDPR requires organizations to maintain a high level of procedural control over how personal data is used that inhibits change and innovation. This will be a cultural change for many organizations.”
Says Marc French, chief trust officer and data protection officer, Mimecast: “Data governance. Organizations have done a tremendous amount of work to understand their data strategy, but can they keep it over time?”
Says Mayank Choudhary, vice president, ObserveIT: “The biggest long-term pain point is going to be GDPR enforcement – how do you measure GDPR compliance or non-compliance? We know there is a 72-hour requirement for the right to notification for users in case of an incident involving their data. However, what we do not yet understand is how exactly organizations should respond, and what are the appropriate responses for when a data breach incident happens and in-scope users’ data is impacted.”
Read on for advice on what to worry less – and more – about when it comes to GDPR: