Forget about fines – Here’s why you should adopt GDPR

Yes, deadline has been set for May 25, 2018.

Yes, fines may reach €20 million or 4% of global turnover.

And yes, if your company is found as non-compliant with GDPR, much like many major data-breaches we’ve seen in the past, fingers will be pointed, heads will roll, stock prices will fall and then – a slow process of GDPR compliance.

As frightening as this scenario may sound, there are far better, more important reasons to start the GDPR compliance process. Here are a few of them:

1. Management Support

Management is liable for securing the privacy of people whose data the company stores. This approach is in sync with global regulation and standards which call for more involvement on the part of senior management in the efforts to secure the company’s data and its users’ privacy. GDPR states that the manager in charge of the data i.e. “Controller” is responsible for and must be able to demonstrate compliance with GDPR. The same holds true for 3rd party data processors.

Having management involved in privacy and cyber security processes in the company assures that cyber security professionals are properly challenged, and that privacy and cyber security efforts align with the company’s business goals and objectives.

2. Global Adoption

The question of whether GDPR applies to U.S. companies is irrelevant on two accounts:

(a) GDPR applies to any company which controls or processes data belonging to E.U. residents. Assuming part of your database may contain data on people who may be U.S. nationals but reside in the E.U. is just common sense. Moreover, the issues of residency and citizenship are rarely considered and there is little way of knowing if and how many of your data subjects fall under that category.

(b) As more companies move storage to cloud providers, storage is distributed across multiple sites across the globe, meaning that part of the data will probably be stored on E.U. soil which – again – makes the company accountable under GDPR.

Knowing that at least part of the data falls under GDPR regulation, it makes no sense to apply GDPR requirements to parts of the data, parts of the databases or parts of the organizational processes and so once part of the data needs to be protected under GDPR, the simple way to apply the regulation is to apply it to the entire data infrastructure and processes.

Consequently, GDPR is on its way to becoming a global standard and for a company, displaying its GDPR compliance sends out a message to clients, suppliers and the public that privacy and human rights are an important issue for this company and that it’s a safe company, worth doing business with. This is a competitive edge over companies which are still holding off on compliance.

3. Mapping

Most companies are aware of their data assets, but to what degree? In large companies we can find servers containing data which no one used in years (both servers and data), obsolete processes that are still privileged, user accounts with privileges that are no longer needed etc.

GDPR calls for clear mapping of the data infrastructure (databases, IT systems, processes, access privileges etc.). Mapping the data infrastructure provides management with a clear snapshot of the existing state of affairs, allowing decision makers to decide what needs further attention and what needs to be taken out of commission.

4. Data Classification

Data classification is a process most organizations are struggling with. Although driven by potential damage to the company, classification can be multi-dimensional (confidentiality issues, availability issues, privacy issues, etc.) and the privacy dimension is a good way to start the process. Once classified on one dimension, the data is easier to classify on other dimensions as well.

5. Human Privacy Protection

For too long our right to privacy as individuals has been trampled by tech and media giant corporations. Even smaller companies today monitor us and collect personal data they have no business collecting (let alone our consent or knowledge of it). Just look at the average flashlight app asking for permission to access our contacts, location, photos and more.

Complying with GDPR helps turn the tide. It allows us as individuals the right to access our data (article 15), the right to be forgotten (article 17), the right to data portability (article 20), the right to be notified when our data is at risk (articles 33, 34) and other rights which are supposed to keep our privacy in the processes of gathering and trading of our private information.

Frightening stories and nightmare scenarios of fines and criminal liability may push a company to formally comply with regulation. We believe that by finding the business incentives, we can drive the company to adopt GDPR and use it for the benefit of its clients, suppliers and users.

As always, we’re ready to help you make the informed decisions that suit and execute those decisions to help reach your company's business goals. Visit us at www.maya-security.com.