A new report from W8 Data reveals that only 25% of existing customer data meets the requirements specified under the GDPR. At the same time, the GDPR enforcement date is at the time of writing only 129 days away. In the legal departments of European organizations, one silent question is yet to be answered: Is it time to start a panic?

Some common myths



Before we go into a timeline for the preparation work, it is good to clarify some common myths or misunderstandings about the GDPR.

No one will be fined/everyone will be fined

Many think that the actual risk connected with the GDPR is small. Other believe that a breach of the regulation will result in an immediate 4% of the revenue fine. The truth, as always, lays somewhere in between. The GDPR will without a doubt be controlled and companies will be fined for the breaches. The first organizations to be reviewed are most likely those who a) recently had a security breached that resulted in the uncontrolled/illegal circulation of personal information or b) organizations who have a bad reputation of following previous/current EU laws/regulations or c) generally well-known/widely established/highly profitable organizations.

It’s a one-time work effort, and you’re good

Organizations tend to talk about the GDPR as the Y2K problem. It’s a doomsday moment that will occur on a specific timestamp and then never happen again. This couldn’t be more incorrect. If you fail to comply to The GDPR on the 25th of May 2018 the sky won’t fall down, and on the other hand if you make it to the 26th without having your doors ran down by regulators from EU, nothing has really changed. The GDPR should be looked on as the new status quo. This is the new reality that organizations all over Europe will have to adapt to, or they will have to pay the price…

As long as there is no breach there is no problem

Another common myth is that the regulation will only apply to organizations that have fallen victim for a security breach which violates user personal data. This is unfortunately (for the organizations) nothing else than wishful thinking. A public breach will be a red flag that most likely will result in an audit, but it will far from be the only reason for an investigation (as mentioned above).

Your first four steps

So now that we have discussed some of the myths that surrounds the GDPR, it is time to talk about Your organization’s preparation work. To make it easier, the implementation of the GDPR has been broken down into four general steps.

Step 1: Current Situation (Gap) Analysis

This first step is all about understanding Your organization and the gap between the current status of data protection compliance and the obligations that comes with the introduction of the GDPR. Questions you need to answer is what kind of departments in your organizations that process what kind of data and for what purposes, how are data subjects protected, are there clear roles and responsibilities implemented, what IT security rules and measures are in place and much more.

Step 2: Risk Analysis

You can’t be compliant with the GDPR in one giant move. The scope is just too big and too honest, you’re probably way too far behind the time schedule. Therefore, a risk analysis has to be executed. What data processing activities are of biggest risk to a) the organization’s business and/or b) rights of the data subjects? This is a good foundation for the risk analysis of your specific organization. This result will then be matched against the risk of the highest fines. To be able to perform this risk analysis you either need to a) go through your whole software portfolio manually or b) acquire a software that will automatically detect your risk software and/or computers/servers that might have increased risks for a security breach.

Step 3: Project Planning

The implementation of the GDPR will require an organization-wide collaboration with mainly the European entities involved. It is very important to have an awareness of the project spread to the organization’s C-level management, with all the necessary actions communicated.

Clear roles and responsibilities should be assigned to all the involved EU offices, as well as designated project manager lead, leading the project from a central point.

At this time resources needs to be allocated and planning should cover things such as a) internal resources (personnel, software etc.) and b) costs and c) legal impact.

Step 4: Implementation

There are some key elements that needs to be implemented when it comes to the implementation step, such as:

• Defined roles and responsibilities

Clear roles at the local offices (as well an accountable project lead at the HQ) should be in place to easily give and execute data protection orders and b) communication of data protection related matters

• Procedures and concepts

Many GDPR obligations can only be implemented if respective concepts, policies and standard operating procedures are first in place, for example regarding breach notifications, Data Protection Impact assessments, data subjects’ rights etc.

• Education/training

One of the key factors is spreading knowledge about the GDPR within the organization. Employees should be training about their rights, obligations and responsibilities deriving from the GDPR.

• Documentation

All measures implemented to demonstrate compliance with the GDPR requirements should be documented, reviewed and updated regularly.

Timeframe

So, what kind of time frame are we talking about to achieve GDPR compliance? If you want to count pessimistically, you should have “a two-months-per-step-with-two-extra-month-for-each-new-step approach”. This means that Step one will take two months, Step two will take four months and so on, which gives a full implementation time of 20 months. If you want a more optimistic approach you can have a 2-2-4-4 approach for the four steps, which gives a total implementation time of twelve months.

Worth to note is that both these timestamps of course are highly general, and the actual numbers will fully depend on the size of your companies, the complexity of your infrastructure, the software/policies/roles in place etc. Also, after these four steps there is a fifth step that will never end: Maintaining.

What we can say, looking on the estimated time frame above and the GDPR enforcement date only being 129 days away, is that your organization’s work should already be well on the way.

In fact, to summarize, if you haven’t reached Step 3 (or haven’t yet started the implementation work) then the answer to the question in the introduction is yes. It is time to panic.

Read more about how Xensam can help you with GDPR here.