In preparation for May 25, data-driven companies (and really, that’s most of us) have started doing business differently, bracing for the enforcement date of the General Data Protection Regulation (GDPR). And all companies with customers and employees who are residents of the European Union should be handling personal data carefully after that: Violations can result in fines of up to 4% of annual global revenues or €20 million (whichever is greater).
When we reached the milestone of 100 days until May 25, one of our McAfee legal interns put up a countdown clock on an internal website. Lots of words have been spent on hair-on-fire, panic mode fretting about the fines – and anyone who tells you that they know exactly what to do to avoid getting fined is selling you a false promise.
As we get to this homestretch, I think it’s important to pause a minute and make sure we are looking at the forests as well as the trees. GPDR doesn’t tell us to encrypt this but not that, but it does tell us we need a cultural change around data protection. An attitude of Great Data Protection Rocks (GDPR – get it?) works together with McAfee’s concept of a culture of security to introduce better and constantly improving practices.
But the 100 days are flying by, and things aren’t perfect – what to do? First, take a deep breath, you can’t get anything done if you’ve fainted. Second, remind yourself of the strategic principles and the core intent of the GDPR: honoring the fundamental rights of the data subject to have control over their information and to have it properly cared for when it is outside their control. And third, read McAfee Principle Engineer Mo Cashman’s great four-part blog series that lists questions to ask your organization, including:
- Is there a current data-loss prevention project in place or planned for this year? Data-loss prevention too often gets thought of as a security project, but the best implementations have security folks partnering with privacy and legal team members as well as business stakeholders.
- What key security and business processes should be reviewed for applicability and current state of capability? Mo reminds us to stop and define “key.” This is the sort of soul-searching that every company needs to do for itself, and make hard decisions (that you should check back on) as to what is most important.
There are a lot of things I like about Mo’s series, including the calm tone, but what I like most is that it basically says if you aren’t sure what to do, start somewhere, and here are some ideas that will help you with the larger picture. Some folks with lots of resources (and yes, the Data Protection authorities) might be horrified that some places haven’t started on GDPR compliance, but this is a journey and we all have different starting points. I bump into a lot of people who are still finding their way in the GDPR fog when I get outside McAfee.
And even for those of us who have been working on GDPR readiness for a long time (and it feels like a really, long time to me right now – I’m much more of a hare), we must think about the long haul. Changing culture takes time, and it’s a big shift to a culture of security and data protection for many organizations. We need champions, new language, new processes, new policies, and procedures. If we keep breathing and keep thinking about the big picture, and keep working together on the hard questions, we’ll get there.
You can find much more free GDPR educational material on our website.