On April 14 the EU accepted the General Data Protection Regulation into law which will be enforced starting April 14, 2018. Organisations all over the world now have 2 years to prepare for these changes but the first challenge is to figure out what needs to be done and understanding the consequences.
A while ago my boss asked me what the cost would be to become compliant with GDPR and I really couldn’t give him a good answer. My guess was somewhere in the neighbourhood of 100 – 100.000 USD but it was no surprise that my answer was not met with great enthusiasm. Apparently managers tend to want more precise predictions.
The Law in itself is just around 100 pages and if you really want to understand the consequences of the new law you need to read the references, referrals and statements regarding the law as well. If you just take all documents published from EU we land at a meagre 6000 pages. This is exactly what I’m doing right now and in this series of articles I will share my key findings.
GDPR will hurt
GDPR will hurt and it should. The fact of the matter is that if you followed the old directive properly, GDPR will not mean that much of a change for you. But the old directive was not enforced properly and with very small penalties it was quite toothless. As such many enterprises and organisations has shown a blatant disregard to privacy information and keeping it secure. Lax attutudes towards directives will provoke a reaction from the EU, especially when US companies started to treat privacy information from US citizens (they have laws that hurt) different from privacy information from EU citizens.
Major and minor infractions
As a result you can now be fined up to 4% of your global turnover (up to 20 million EUR) for a major infraction and up to 2% for a minor (up to 10 million EUR).
If you hope that your national authority, who might have been inactive in the past, will stay inactive you better think again. You see, any individual has the right to raise a complaint against any organisation and each complaint will trigger an investigation somewhere down the line. Any company doing business in EU and/or handling data regarding a EU citizen can be investigated and fined so the chances of being audited just increased.
The cautious CSO
There has not been enough court cases yet to determine some sort of praxis on the matter and until then GDPR leaves plenty of room for interpretation. Here is the current definition of a certain minor infraction: The lack of documentation on when, where or how personal data was received.
Again, since there is plenty of room for interpretation and since there is no praxis, the cautious CSO should assume that one single missing record of an event containing personal data can get you in trouble.
Set aside at least 2% of your turnover for GDPR fines
Here are a couple of fun facts that one needs to be aware of when it comes to fines and the process of GDPR.
If you happen to fail an audit you will be forced to cough up the fine, that simple. This is an actual fine so there is no court and no process in which you can plead your case, you just need to pay the fine and then you can take action.
After having casually paid an easy 10, or even 20 million EUR from your savings account you can complain to the European Data Protection Board and ultimately to the European Supreme Court but as said, you will have to pay the fine in the meantime.
Just to put some sugar on top, upper management may be held personally responsible for breaches so there is no covering behind your company. I don’t know about you but I don’t have 10 million euros laying around. On the other hand I do know that we are well on our way and will have all our documentation in order far before 2018 so I will seep well at night. will you?
Don’t be alarmed of my bleak picture of the future. The light you see at the end of the tunnel is in fact a GDPR train and yes, it will run you over. The question is how badly you will get injured.
If you have a big technical debt from years of neglect you should prepare for an acid shower. If you have done everything in your power to prepare for the transaction you’ll still end up with a bunch of new standards to implement. One thing is clear to me though. Neglecting our privacy responsibilities has never been an option but now we have a law to really force data processors to care.
That being said we are here to help you if you want to take privacy seriously. We know how to secure infrastructure very well and future proof you for the coming GDPR.
Kim Hindart, CSO at City Network, has a long background in information security with previous experience from News and media industry, IBM, Swedish Army and Big Telcos. He is a long term enthusiast in Open Source projects like Symbian, Android and Open Stack. When not involved in security work, he likes to play around with databases and mobile operating systems. According to Kim, Internet access and cheese are the big necessities of life.
“Go SQL you can still survive”.