GDPR compliance cannot be achieved with a solely law based approach, a robust operational strategy is critical to success.
Arriving on the 25th of May 2018, GDPR will go live and be ready to mete out punishment to those failing to comply with the new, rigid data protection standards. It is necessary to repeat the date of its arrival and the penalties it will carry as vast numbers of organisations are either failing to achieve compliance or have not heard about it at all.
At the heart of this problem is a failure to understand the scale of the changes that will be required within organisations, with processes required that cannot be handled manually by staff. Many professionals are pointing to cutting edge technologies as essential for achieving true compliance, with a critical skills shortage amplifying the pressure.
Currently we are focussing on the impending deadline, but we were curious to find out what is on the other side of this tidal wave, what life will look like after the regulation hits. One of the first and foremost thoughts of those that are aware of GDPR will be where and when will the hammer fall hardest?
To explore the near future, CBR spoke to Marc French, Chief Trust Officer, Mimecast, who said: “I suspect, this is just me speculating, there will be a bit of a grace period. May will come, they will shake the sabre a little bit and say ‘Is everybody there? Let’s be honest’, everybody is predicting that less than half of folks are going to be there by the date.”
“They will probably make an example of somebody or attempt to make an example of somebody by the end of the summer, they will probably go after some large multinational US company. The interesting paradox is that those folks are going to be the most prepared to have that conversation. It will probably end up being a tier 2 player that gets that first fine, not the Microsofts, LinkedIns or Googles of the world.”
We also learned about a potentially major hidden risk that is waiting for organisations when GDPR arrives, an aspect of compliance that many organisations may well have glossed over in forming a strategy for beyond the 25th of May.
“There a couple of nuanced things, one risk that people chat about but I don’t know whether they fully understand is the breach notification piece. If you look at the legislation as it stands it says 72 hours once you become aware, if you think about a normal business operating environment, you probably have n number of folks in your supply chain,” French said. “That is 72 hours in total for your complete supply chain, so do folks understand their supply chains and have necessary contacts in those supply chains? Everyone has seen the breach notification piece and I don’t think they actually grasped the magnitude.”
This example gives an insight into the scale of the task involved with achieving GDPR compliance, the reason that numerous experts are calling for more work to be done with automation technology to take the weight. I asked Mr French whether he agreed with the belief that automation will be vital for true compliance.
He said: “Absolutely, it is just too pervasive and too large; there is just no way that you could staff enough folks to do what you need to do. Automation is the only way to do it, but that will only get you so far, it will get you to eighty per cent.”
Mr French went on to explain the reason that automation will not solve the entire puzzle, humans. Our natural variations and fallibility will cause us to weaken the capabilities of automated technology when it has to interact with and rely on us, while it could have seamless interaction when communicating with another automated system.
“What you could do with machine learning and AI to interpret a request is a lot harder when a human makes a request, the automation works really well when you have a machine talking to a machine. Whenever you put a human in front of that automation tends to fall down a bit, that is why you can only get to the eightieth percentile.”
Eighty per cent of the way is still striking when compared to the number of organisations that may not even have moved to achieve compliance, let alone the ones that have not yet even heard of GDPR. With automation seeming increasingly essential in achieving true GDPR compliance, we are left wondering how the organisations of the world are going to manage.
In answer to a question of the availability of these technologies to firms looking to achieve compliance, Mr French said: “Unfortunately I think it is going to be a manual process for the average organisation, we are blessed because we are a security company in the technology space, we have tools and people. If you think about the average manufacturing company that is selling to EU nationals, they are going to be hard pressed to tool and they will have to do most things manually.”
GDPR is the dawn of a new era of data protection, giving rise to roles such as the one Mr French holds. This is a strong indication of how valuable professionals with this array of skills have become.
“It is an interesting role; I think of it as an evolution of security practice, my background historically has been as a CISO. Now I have a remit that includes both the physical and infosec sides, which is interesting because if you look back at the practice of privacy it has always been in the legal side of the house and staffed by an attorney, I am not an attorney.”
Part of the run up to GDPR is that organisations are approaching compliance with a purely legal strategy, failing to realise the complexity and necessity of a strong operational approach to the new challenge.
Mr French said: “It has gone from a law discussion to an operational implementation discussion; but most attorneys are not very operationally focussed. What ends up happen is they needed to have somebody that could actually execute a GDPR programme, there is still an element of law that is involved, I have a privacy attorney with me that does that aspect of it, but they are not going to do breach notifications and implement privacy training. My role is the convergence of those two things.”