The GDPR enforcing date is coming… is your organization prepared?
From my understanding based in what I see in the field, the majority of companies are not. Besides finance, insurance and big retail chains very few are already prepared, and some aren’t even achieving meaningful results to enable them to be compliant in May 25, not even the health or public sector (more on that later).
This is a stark difference between other countries, a colleague assured me in late November that his organization, a major internet business with thousands of employees worldwide was already GDPR compliant. Not everyone has dozens or hundreds of lawyers and consultants at hand to get things done but I think it’s actually a cultural thing.
The same culture that thinks its ok for the Portuguese government (and Portugal is not alone on this) to even think to exempt public institutions from fines if they’re responsible for data breaches, non-authorized access or abuse in data treatment. The ones that should lead by example are the first ones trying to get away with it.
This leaves the regulators with few moral authority to fine companies, at least the smaller ones without legal, security and compliance departments.
The smaller fines will be €1.000 regarding minor infractions (not involving health data or belonging to underage users) and there’s some expectation in what will happen on May 25. Will the regulator fine every non-compliant company? Maybe, they say. Will be there class action lawsuits against big companies made by clients seeking compensation for their data not being handled correctly?
We need to wait and see but regarding the first question some European regulators say that, when the day come, they will be worried checking if their institution is compliant – the regulators as any other company or institution must be compliant and GDPR ready too. Even if they don’t get fined as normal company will.
Meanwhile, as international players start to send costumers and users new T&C of their services, SMEs are rushing and paying handsomely to attend workshops where they get to know what GDPR is and how it will affect their business but without any clue how to implement it, not even a road map to get started. They often attend workshops devoid from any “How To” or other practical matters.
The more personal data sensitive sectors as health and education are working overtime to publish directives to hospitals and schools to implement but the problem is always the same, the lack of practical solutions and lack of in house resources for such a broad subject. Major health institutions will need a DPO with legal and IT skills in their ranks. At the moment there’s a lot of DPO certifications in the market but there’s no information regarding who will validate such certifications. As for schools and others that handle data from underage users they will have an even difficult task. Internet services can’t handle or save data belonging to minors (the age of consent in Portugal is likely to be 13) without legal authorization and that will be a truly great challenge. Some companies (like Lego) already use mechanisms towards child safety but not even them will be fully compliant.
Everybody by now understands the GDPR importance but, when talking SMEs, very few can implement or design a strategy from scratch with data protection in mind. Companies with smaller resources still can identify the processes or applications that use relevant data in the GDPR scope or make a personal data flow chart related to their business process but will struggle to make a gap analysis, develop a DPIA, a backup policy or keep the assets that store data safe from attacks.
To achieve that you need skills in law, IT and security and you only find that in major consulting firms or smaller ones that join together to offer a 360 service as we do with some partners.
What we see now and with all the fear mongering going on are law firms offering to solve the GDPR problem reviewing and writing new contracts, IT firms selling software to manage information and security firms auditing information systems. Everyone tries to adapt what they already sell to a GDPR solution. I think a good GDPR compliance strategy must involve them all or you end up with appropriate legal contracts, a good personal data management or your systems secure but not all of the above at the same time.
Yesterday the Portuguese Council of Ministers approved a law proposal regarding the GDPR execution and the particularities that each EU member state can have. At first it stated that it will give another 18 months to implement the regulation, but it seems that it was an error and it will not happen. (I don´t even know how it will work out if someone filed a complaint to the EU against a Portuguese company…) What’s seem sure is that the public administration will be exempt of fines (at least in the first 3 years) which is probably a lost opportunity to get a better governance and mindset in public companies. Without the enforcing of fines, one can expect that things might not be properly done and the promise of best practices in data privacy and handling that GDPR brings will be lost.
In the end who loses is the citizen, if I don´t like the way a private company handles my data I can always change and go to a competitor, but if I don’t like how the government handles my data… well, that’s a little trickier. One of the highlights of the GDPR was the astronomical fines (it worked, everyone paid attention). In this proposal, the minimum amounts determined by the government are lower than expected in an attempt to protect small companies who don’t do business with client data(!). From 20 million (still the max) we’re talking now € 1.000 (SME) and € 2.500 (big companies) for minor infractions. We’ll see what happens in May.