The Hidden Force That Will Drive GDPR Privacy Compliance
Daniel Solove
Professor, GW Law School + CEO, TeachPrivacy + Organizer, Privacy+Security Forum
The clock is ticking on getting ready to comply with the EU General Data Protection Regulation (GDPR). EU regulators will start enforcing it on May 25, 2018.
GDPR is less than a year away, and it’s quite a challenge to get ready for. Becoming compliant is not something that can be achieved overnight, or in a week, or in a month, or even in quarter. A lot of privacy and security controls must be put into place or adapted to satisfy new EU standards and rights.
GDPR Compliance Preparation Is Currently Lagging
Despite the mammoth task ahead, many companies are likely not going to be ready in time.
- A recent survey found that 61% of companies had not even started the task of GDPR implementation. Only 11% said that GDPR implementation was “well underway.”
- According to an estimate by Gartner, only 50% of companies will be in compliance with GDPR by the end of 2018.
- According to another survey, 73% expressed concern about being in compliance by May 25, 2018.
- A survey conducted in March 2017 indicated that there are many areas where companies need to step up their privacy programs to meet the demands of GDPR. Many companies were still stuck on the early step of doing a data inventory.
Why Sweat GDPR?
“So what?” one might ask. “Why should companies be sweating over GDPR?”
The most common answer is that GDPR has fines up to 4% of worldwide global turnover. These are potentially enormous fines. If issued, they would not only wake up the C-Suite, but do so by pouring a bucket of ice water on their heads.
“But how many of these fines will likely be issued?” one might ask. “Will they really bother to enforce against most companies?”
I think many C-Suites might be discounting the GDPR risk because they don’t think they will likely be the ones nabbed by regulators. After all, as with most privacy and security regulatory enforcement, regulators only go after a small fraction of violators.
Of course, EU regulators could start with some bold enforcement actions and big fines, making a loud statement and scaring companies into action. There are, however, many complicated factors in the EU that could temper enforcement of GDPR. We’re not likely to see GDPR enforcement begin with hundreds of cases with huge fines.
The Major Force that Will Drive GDPR Implementation
There is a force that will drive GDPR implementation quite effectively. It’s a force that is often hidden and unsung. What is this force? It’s other companies.
The GDPR places obligations on companies that have vendors that process personal data. Many large companies have hundreds of vendors that are processing data.
Organizations that control the collection, use, or storage of personal data are referred to “data controllers.”
Organizations that store or process personal data for data controllers are called “data processors.”
Both controllers and processors are regulated by the GDPR. And, controllers are on the hook under GDPR if they do not ensure that vendors who process their data do so when compliant with GDPR.
According to the GDPR Article 28: “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure he protection of the rights of the data subject.”
GDPR Article 28 also states that contracts with processors must require GDPR compliance. Processors that subcontract with other processors must do so only upon authorization of the controller and with a contract requiring that the other processor follows GDPR. The result is data protection all along the chain of data custody.
The result: Controllers will want to reduce risk and mandate that processors be compliant with GDPR. Processors will need to be compliant or else they risk losing their vendor relationship with the controller.
Controllers have every incentive to be tough on vendors. The vendors are the ones competing for the business of the controllers, so the controllers are in the driver’s seat. If a particular vendor is falling short, the controller can find another that is able to comply with GDPR.
So my advice to vendors is that you better start working on GDPR implementation. If you don’t, you’ll be at a major competitive disadvantage. You’ll risk losing large contracts with companies to process their personal data.
A vendor might be able to survive a GDPR fine. But a vendor might not be able to survive a lot of lost business.
GDPR’s Impact
GDPR will have an impact far beyond how EU regulators enforce it. This is because of the intricate network of contractual relationships that companies have with personal data. GDPR will start sending some electricity through this network, and it will start lighting up.
Over time, this will lead to GDPR’s privacy and security controls becoming implemented more widely and eventually becoming generally-accepted business practices.
Instead of seeing GDPR as a negative, companies can also see it as a positive. Being ready for GDPR will be a competitive advantage.
Other Resources of Note
- My GDPR Cartoon: Preparing for GDPR: A Year to Batten Down the Hatches
- My Guide to GDPR Training
- IBM Security Intelligence Podcast, Data Privacy and GDPR: What You Need to Know
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers. This post was brought to you by IBM Security team. For more content like this visit Security Intelligence.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum (Oct. 4-7, 2017 in Washington, DC), an annual event designed for seasoned professionals.
NEWSLETTER: Subscribe to Professor Solove’s free newsletter
TWITTER: Follow Professor Solove on Twitter.
Director of Enforce (Irish Council for Civil Liberties), and Senior Fellow of Open Markets Institute
7 年There is a second hidden force: reinsurance companies. The fines and threat of legal action from data subjects create a risk that insurers can not ignore. The insurers, and their reinsurers, have to take this in to account during contract renewal discussions. Clients that do not act to mitigate the risk presumably pay higher premiums. (I think this is a particular problem for ad agencies and brands https://www.dhirubhai.net/pulse/risks-brands-under-new-eu-regulations-johnny-ryan)
Design Professional
7 年9 by CD x
I have no problem with your arguments and te stick (read the potential fines) when not complying with GDPR is very often used as an argument. However allow me to add a carrot: another benefit of making the exercise to achieve compliancy is that organisation are obliged to document all personal data files, the ground for processing them as well with whom the personal data is shared, etc. While preparing the gathering of the data, organisation realises how some business processes are executed in a poor manner. In other words an organisation could also benefit on that level by using that information to improve their efficiency and in the end being competitive vs. their competitors!
Data and Privacy Thought Leader Type 1 Diabetic
7 年Great read. I too believe that vendor compliance to satisfy and compete with their compliance will be a key driver to compliance. Compliance isn't optional under the GDPR but clearly if your business cannot guarantee to your data controller that you have the appropriate TOMs they will go elsewhere to providers that can. It's the one of the key themes of the GDPR:- demonstration of compliance
Technical Author and Product Manager at Dot Origin
7 年Interesting view that GDPR will get enforced as a by-product of supplier choice in the big systems/services primes. I buy that. It has been the motivation for compliance with many other initiatives to date - from ISO9001 and CyberEssentials to Conflict Minerals Policy.