GDPR compliance is a moving target but firms need to keep up

Register now

Before you know it May 25, 2018 will be here and the General Data Protection Regulation, the European Union’s new omnibus data privacy and information security law, will be in full effect.

No one wants to be on the hook for the steep penalties that await organizations found in violation of GDPR’s mandates. Therefore, companies have been spending millions of dollars and thousands of hours preparing for nearly two years since GDPR was announced.

Of course the big question is: have those resources been allocated wisely? Will the investments in GDPR compliance prove to be well spent when May 25 arrives? If a recent survey by tech firm Veritas is any indication, the answer may be a resounding, “No!”

According to the Veritas report, only 31 percent of companies surveyed believe they are GDPR compliant. That percentage is concerning enough, but even worse, the number may actually be closer to 2 percent. How could there be such a readiness gap? What about all that preparation? Was it squandered? Probably not.

A primary challenge with any major regulation is that, no matter how meticulous its writers intended to be, there will always be ambiguity. Some of that ambiguity is intentional and some simply unavoidable.

GDPR was necessitated because the old regulation dictating the security and management of data, 1995’s Data Protection Directive, was obsolete. Twenty years of technological evolution and innovation—the best and the worst—resulted in a major shift in how data is created, moved, stored and protected. The Data Protection Directive could not keep up.

A lot of very talented lawyers, advocates and technologists spent a long time writing the document designed to address and balance the needs of people and businesses. However, not every possible situation can be accounted for in a single regulation, nor can the future be accurately predicted. Some vagueness is inevitable—and necessary. Whether by design or oversight, many conditions and definitions contained in GDPR will be subject to legal challenges and that process will set the precedents needed to clarify the regulations.

Another factor in the uncertainty over readiness comes from the steady stream of news about major data security failures. Even the most confident CISO can’t help but read about all the data breaches, ransomware campaigns and other cybercrime. Events such as Equifax, Avast/CCleaner, WannaCry, NotPetya and Dyn provoke concerns about vulnerabilities that might not have been accounted for. In the first half of 2017 alone, nearly 2 billion records were exposed thanks to hackers. What if any events like these happened after GDPR is in effect? If a breach affects EU citizen data there’s a good chance the European Commission will act.

Even a number of legal experts and respected privacy and security professionals deeply involved in GDPR compliance efforts can’t guarantee that any organization victimized by ransomware would NOT be found in violation of the upcoming regulation.

You see, the conditions surrounding a ransomware infection might not expose private data in the traditional sense. Then again, the European Commission might decide to prosecute under GDPR if they felt security systems and processes were exposed as being insufficient.

Some experts have even said that, following the WannaCry and NotPetya campaigns, there has been a sharp increase in calls from clients and other organizations concerned about that very question. In these cases, some cite a well-established U.S. data breach regulation, California's data breach law, SB 1386, to illustrate the challenge of predicting how GDPR might come into play.

Under SB 1386, noncompliance is defined as "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business." While a NotPetya infection didn’t seem to meet that standard, there’s no way to really say. And a specific company may be bound not only by the regulation, but also by their own contractual obligations to the customer. In other words, until May 25, 2018, organizations can only deal with hypotheticals.

It is worth noting that the definition of a data breach under GDPR is much broader than in the U.S. In Europe, data is considered breached if "accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed" occurs. That sets a far lower threshold than in the U.S. and so an event like a ransomware infection may put an organization at risk of action by the Commission even if U.S. law is not violated. That means that until next year, even the most rigorous compliance efforts must accept a certain amount of uncertainty.

Depending on available resources and willingness to accept a certain amount of risk, some aspects of implementing a compliance program may have to wait until after precedent has been set and clarity is further established.

That’s not a reassuring thought, but there is some comfort in knowing that the Commission has signaled that only egregious cases of negligence leading to a data breach are likely to be prosecuted aggressively. They recognize that no level of security can provide absolute protection. At least early in the process, honest mistakes are unlikely to be punished to the full extent of the law. Of course, that will be cold comfort for the organization with the ignominious distinction of being the first violator to be prosecuted.

Given the questions and uncertainties that are swirling around GDPR compliance today, I wonder if Veritas's figure of a 2 percent rate of compliance isn't overly optimistic.

Data security compliance is—and always will be—a moving target, and that is never as true as in the period before a regulation goes into effect. That is no excuse for complacency; it simply means that responsible organizations should do what they can in advance of GDPR to prepare—and remain vigilant after May 25, 2018 to ensure the security and integrity of the data that has been entrusted to them remains intact.

For reprint and licensing requests for this article, click here.