Survey GDPR 2017:
GDPR compliance is a top data protection priority for 92% of US organisations in 2017, according to a PwC Survey
It’s not easy for U.S. companies to appease tough EU data privacy laws
At a panel on data privacy at the annual RSA cybersecurity conference in San Francisco, Cisco(CSCO, +0.42%) chief privacy officer Michelle Dennedy explained that companies—from sports brands to pharmaceutical corporations—are gathering more data than ever from the influx of Internet-connected devices now wired into their IT infrastructure. And the problem is that the upcoming regulation is especially tough on what’s known as profiling, which is essentially the ability for companies to use automation to determine certain characteristics of their individual users.
Companies are no longer just stockpiling their data into large repositories called “data lakes,” Dennedy said. They are now using various AI technologies like machine learning to build powerful software services that can automatically make decisions on their own, based on the data they processed.
The EU reached agreement on the GDPR in December 2015, and in the last twelve months preparing for the new law’s obligations have jumped to the top of corporate agendas. Of the 200 respondents to PwC’s recent pulse survey on GDPR preparedness, 54 % reported that GDPR readiness is the highest priority on their data-privacy and security agenda. Another 38% said GDPR is one of several top priorities, while only 7% said it isn’t a top priority.
Much of the discussion about the GDPR has focused on the law’s privacy-centric requirements, such as mandatory record keeping, the right to be forgotten and data portability. The GDPR’s relatively generic information-security obligations, however, figure prominently in GDPR plans of US companies. • Among the 23% of survey respondents who haven’t started preparing for GDPR, their top priorities are data discovery, information security enhancement, third-party risk management and GDPR gap assessment.
• Among the 71% who have begun GDPR preparation, the most-cited initiatives in flight are information security, privacy policies, GDPR gap assessment and data discovery.
• Among the 6% who have completed GDPR preparations, the mostcited projects are information security, GDPR gap assessment, data discovery, and third-party risk management.
• IT re-architecture is the lowest priority for companies in all three phases.
Securing a $1 million budget for data privacy has been more an exception than a rule for many American corporations. The GDPR’s potential 4% fine of global revenues, however, has changed budget appetites for mitigating this GDPR risk. While 24% of respondents plan to spend under $1 million for GDPR preparations, 68% said they will invest between $1 million and $10 million. Nine percent (9%) expect to spend over $10 million to address GDPR obligations.
The pulse survey asked executives which EU cross-border data-transfer mechanism they planned to use for processing EU personal data outside of Europe. After the invalidation of the Safe Harbor agreement in October 2015, most Safe Harbor members implemented so-called model contractual clauses as a stop-gap measure. Many observers, especially those in the legal community, thought model clauses would become the new norm. While 58% of respondents reported that future strategies would include model contracts, a stunning 75% said they will pursue binding corporate rules (BCRs), while 77% plan to selfcertify to the EU-US Privacy Shield agreement. The uncertain future of both model contracts and the Privacy Shield may drive US multinationals to adopt two or even all three of these options to hedge their risks.
US corporations that are heavily invested in Europe will probably stay the course in the near term. Indeed, 64% of executives reported that their top strategy for reducing GDPR exposure is centralization of data centers in Europe. Just over half (54%) said they plan to de-identify European personal data to reduce exposure. The threats of high fines and impactful injunctions, however, clearly have many others reconsidering the importance of the European market. In fact, 32% of respondents plan to reduce their presence in Europe, while 26% intend to exit the EU market altogether.
How should multinationals cover their GDPR bets? Here are three initiatives businesses should add to their 2017 GDPR transformation agenda:
1. Enhance DPA relationships. Chief Privacy Officers should use this window before DPAs are flooded with notifications to establish a rapport with their lead DPA and other DPAs where they have major operations. This rapport should include an introduction of key personnel, an overview of the company’s business model and a description of its privacy program. Establishing this context with DPAs can help smooth procedures in the event of a data-breach notification or controversial DPIA.
2. Inventory and define high-risk processing activities. The GDPR’s Article 30 requires companies to inventory their data-processing activities. Once complete, businesses should establish criteria to rank these activities into low, medium and high tiers of risk to the rights and freedoms of individuals. These risk determinations are critical to data-breach notification and DPIA requirements.
3. Build notification and DPIA capabilities. Many U.S. companies have a head start in developing the people, processes and technologies needed to execute timely data-breach notification and thorough DPIAs. Even those with an initial advantage, however, face a more significant task in modifying their procedures for unique EU requirements, training personnel and testing the repeatability of their controls.