GDPR or Naught

Over the past few weeks, there have been multiple major news stories regarding data security, but one that affects over 85 million individuals is Facebook and the massive data scandal with Cambridge Analytica.  Data that was leaked originated from Facebook, but this data was used improperly by third-party external developers.  However, with proper data privacy and data protection regulations/policies, this could have been avoided. 

Is GDPR Compliance Right for You?

GDPR (General Data Protection Regulation), which goes into effect on May 25^th, is a landmark piece of legislation that is changing the privacy compliance landscape and causing organizations to rethink how they operationalize privacy.  This new regulation mandates that any organization that processes, store or collects EU citizen data must follow strict guidelines not only to protect this data, but to ensure that the data is used in ways that the data subject has explicitly agreed to.  Not all organizations must comply with GDPR, but that doesn’t mean they should ignore data privacy, protection and retention around the data that they collect and store. 

Organizations from North America are wondering if they need to be compliant with GDPR and what the requirements and risks will be.  While any organization that collects and stores one record of an EU data subject is technically in the GDPR crosshairs, there isn’t a “one-size fits all” approach to compliance. Compliance efforts should be based on the level of risk exposure that your organization is willing to accept. In addition, there are certain baseline practices that the GDPR recommends that can be implemented anywhere. 

There are different levels of risk exposure that can depend on a myriad of factors such as the complexity of your operations, number of EU data subject records, where your customer base resides, etc.  Based on those facts, there may be different compliance priorities and options depending on the level of risk.

The chart below hypothesizes levels of risk and associated attitudes related to GDPR, possible compliance approaches to take and resulting business implications.  If your organization believes the risk is low, this does not mean you can ignore your current data privacy, protection and retention practices; instead, you should reassess your current business practices around risk posture.  Once you have completed this reassessment, you can appropriately invest around these areas to help reduce the risk of potential data breaches and data loss.  

Implementing Best Practices and Reducing Risk

Just because you feel GDPR is not appropriate for your organization, you should still implement best practices around data protection and reduce the risk of data breaches and data loss.  There are a few common ways that data is lost among organizations, but implementing best practices around data privacy, protection and retention can help reduce the risk of losing your data.

Based upon data from Privacy Rights Clearinghouse, the top causes of data loss include: (1) hacking, malware, or malicious code (57%); (2) unintended disclosure (22%); and (3) portal devices and physical loss (17%).  Companies should prioritize and manage such risk to help limit exposure to data loss.

Understanding your current and expected data security posture, your desired risk appetite and the available investment in resources and technologies will help you prioritize and build a reasonable and effective data privacy plan.