Last week, we presented 5 Steps to GDPR Compliance to get those not ready for GDPR moving in the right direction. Everything in that article is necessary to maintain GDPR compliance on an ongoing basis. According to Senzing, on average, businesses with 10 or more employees are expected to receive 131 GDPR-related inquiries per month. So, not only is the challenge to protect data, it’s also to respond to all of these inquiries in a timely manner.
Why do people want access to the personal data you have about them? A poll of 1,000 UK residents by Macro 4 cited: A) suspicion that you have unauthorized information; B) curiosity about what you have about them; C) compensation for payouts; and D) revenge for bad experiences.
In multiple choice tests, “C” is the answer with the highest statistical average of being correct.
While this is not a multiple choice test, “C” stands for “CAUTION!!! Contents Hot!!!!”
The Cost of Mistrust and Non-Compliance
Call it a toxic and hostile environment. Most businesses might be concerned over the hefty GDPR fines and penalties for non-compliance, the greater of €20 million or up to 4% of worldwide turnover.
Smart companies are concerned about the potential for much larger class action suits over data breaches. Non-compliance equates to the potential for fines, lawsuits and legal fees. Pre-GDPR examples to ponder include Yahoo’s $80 million payout, Target’s $18.5 million payout, and the massive Equifax 50-state class action lawsuit, among others.
Doing GDPR Compliance Manually
Let’s run a quick comparison between manually handling GDPR related requests vs. automating them. Remember, GDPR pertains to basically all Personally Identifiable Information of an EU resident that your business may have – regardless of where it is. It includes customer’s data from your network, server, desktop computers, laptops, mobile devices and third-party applications. And yes, it includes files in hard copy filing cabinets and even off-site document storage facilities.
Fortunately, we are not yet into the whole Keannu Reeves’ “Johnny Mnemonic” human augmentation thing yet. If that doesn’t give you a nosebleed, you’ll probably still want to cry.
Senzing’s report goes on to specify that the “average company” will need to review an average of 23 databases at 6 minutes each, or 19 hours per day. Of course, there’s a broad range reflected by this average. Some SME’s might get by on spending one hour on GDPR per day, while large enterprises will require 60 hours per day or more to keep up – 7.5 full-time employees!
Your Data Protection Officer (DPO), the role usually responsible for ensuring that this sort of thing happens, probably will do one of two things:
- Request (or Demand) consolidation of customer data to a necessary minimum of locations.
- Find another job with a company automating most aspects of GDPR compliance.
Automated GDPR Compliance Solutions
GDPR Compliance Training & Awareness
Your Data Protection Officer will likely be responsible for GDPR training of all personnel in your company, possibly in conjunction with your Human Resources Department. GDPR training and awareness are covered by Article 39. While the Data Protection Act of 1998 is specific to UK law, its Training Checklist provides excellent interim guidance until you have one comprehensively suited to GDPR. Above and beyond GDPR training, the DPO should weigh in as a Data Privacy Advocate within the organization. To go the extra mile, organizations might also seek ISO 27001 Certification on Information Security Management.
Reporting Data Breaches & Supervisory Authorities
Data breaches threatening people’s rights must be reported to the supervisory authority within 72 hours (Art 33). Individual persons who may be impacted by the breach must also be informed in a timely manner (Art 34). While GDPR talks a lot about supervisory authorities, it doesn’t say who they are.
Businesses inside the EU can find a full list of lead supervisory authorities by country here. Businesses outside of the EU, however, must report data breaches to the supervising authority of each country of the EU residents impacted – a migraine headache even by legal standards.
However, notification of both the individuals impacted by a data breach and the supervising authorities can be mostly automated. With GDPR by Design, manual input is mainly required for defining the message of notifications.
Supervising authorities of the GDPR have the authority to conduct audits to see if businesses are in compliance or not. If they are not, they can be penalized and fined. That’s possible even there hasn’t been a data breach. A survey by Amárach Research indicates that 55% of companies believe they will receive an audit in the next 18 months. One way to be confident that you are GDPR compliant is to train for and conduct an independent audit. For this purpose, here’s a free, handy Audit Checklist by Global DataHub.
GDPR Operational Costs
If you’ve looked around, you’ve seen a lot of holy*#@! 6-8 digit cost figures floating around for implementing GDPR.
- A study by Veritas Technologies indicates companies expect to spend $1.4 million on average on GDPR compliance initiatives.
- The Financial Times estimates Fortune 500 companies will spend an average of nearly $16 million each on GDPR compliance.
- The cost of non-compliance is expected to be 2.71 times the cost of maintaining GDPR compliance according to infosecurity-magazine.com.
Banks and financial services can expect to have the hardest time and greatest expense when it comes to full GDPR compliance. Businesses and enterprises with mobile apps, however, have much easier and cost-effective options.
Since it’s a SaaS solution, after installation of GDPR by Design, you only pay for your active users who are residents of the EU and UK. For mobile-first businesses, GDPR by Design integrated into mobile apps could cover 70-100% of your automation requirements. You will still need to provide for:
- Data Protection Officer and assistants, or a DPO outsourcing agency.
- GDPR training of your personnel.
- Cost of independent GDPR audits.
The costs of non-compliance go beyond include fines. They also include possible civil suit damages and legal expenses. Even then, you will still have the costs to become GDPR compliant.