One of the most influential business books of the early 21st century is Thomas Friedman’s The World is Flat: A Brief History of the Twenty-First Century. He argued that the world is a level playing field where all competitors have equal opportunity. Historical and geographical divisions that gave certain advantages to countries, companies, and individuals are becoming increasingly irrelevant, and growing numbers of companies are involved in global commerce that knows few, if any, boundaries.
Flattening data privacy and protection rules across the European Union (EU) was the premise behind the passage of the General Data Protection Regulation (GDPR) that will go into effect Spring 2018. The intended outcome is a unified set of consistent regulations that makes it easier for companies to conduct business across every EU member state.
Yet, the reality is that GDPR goes much further than simply flattening the playing field. It includes some substantial tightening of data privacy and protection regulations and prescriptive security measures. It also extends to a broader set of businesses and public organizations. In addition, for those who believe that the GDPR only applies to businesses within the EU, think again! It applies to any international company that conducts business within the EU, even when the business resides outside the union. As Friedman argued, the world is flat and regulations know no geographical boundaries.
Extensive Implications, Reach, and Scope
Businesses based in the U.S. that sell products in the EU or those that outsource customer service or the manufacturing of components to states in the EU are impacted. Likewise, GDPR regulations do not discriminate based on industry or company size. Just as a large enterprise based in Japan that sells products in the EU must demonstrate compliance, so does a small business in Canada that sells products in Wales.
Noncompliance is a scary proposition. Regardless of business size, the financial penalties are severe with proposed fines of up to four percent of global annual turnover or 20 million Euros (whichever is higher).Small businesses could quickly find themselves insolvent, while large enterprises could be faced with negative gross profit margins.
Even though the GDPR does not go into effect for another year and a half, the time for action is now. IT projects require significant planning and implementation, and GDPR entails more than just IT; it also involves business process reengineering and budget allocation. Indeed, it could be one budget cycle away for some businesses. And just as Y2K required a substantial runway, so does GDPR. Organizations that wait until the last minute to ensure they have the right systems and processes in place put themselves at serious risk.
Preparing for Personal Data Security Underneath GDPR
For many businesses, GDPR might be the first time they have needed to comply with such a strict data privacy and protection regulation. And chances are these businesses may lack the technology and policies to discover, secure, and govern personal data to meet GDPR requirements.
Unlike larger enterprises that rely on data loss prevention (DLP) to address similar regulations (e.g., PCI- DSS, HIPAA, GLBA, etc.), small and midsize businesses simply have not had the resources – time or staff – to manage traditional DLP solutions. Implementation of these solutions was painstaking and required substantial staff resources and expertise, and ongoing management was a big headache – ranging from extensive policy implementation to disruptive false positives and quarantines.
The good news is that technological advances in cybersecurity offer businesses new to the regulatory world, or those looking to optimize their data security, the ability to address GDPR’s data privacy and protection stipulations without yesterday’s complexities and extensive costs. Compliance solutions optimized for GDPR can be added on to existing environments without the need to rip and replace legacy security solutions. Business outcomes include:
- Data Visibility. Discover, track, and trace personal data with unprecedented level of inspection.
- Intelligent Policy Enforcement. Policies unique to data context, type, channel, and sharing relationship.
- Adaptive Security. Flexible, non-disruptive measures applied based on GDPR policy requirements (e.g. block, encrypt, redact, sanitize, delete or move).
- Governance. Transparent visibility into GDPR reports, policy violations, and breach analysis to ensure compliance.
The clock is ticking and the world is not getting any flatter, so get started on the road to GDPR compliance in the new world of data privacy and protection.