In this column, let’s continue our evaluation of the GDPR (general data protection regulation), which goes into effect in the European Union in May and its impact on interoperability and connected devices. Last week’s blog gives you a greater understanding about the GDPR compliance milestones and hurdles that are just around the corner and what at stake for companies that ignore the impending deadline. There are some costly consequences for turning a blind eye.
Before I delve even deeper into the directive, let’s recap a few key points about the impending deadline. In 2016, the EU parliament approved the GDPR regs, replacing the previous data protection rule that was put in place in the 1990s. It should be noted that the GDPR is a big deal because it has a much broader jurisdiction. The fact that it governs how companies process, store, and secure data represents one of the most extensive overhauls to data protection rights in recent memory.
Besides extended jurisdiction, some of the changes reviewed include strengthened conditions for consent, mandatory breach notification, customers’ rights to access their personal data or be forgotten, and the appointment of DPR (data protection officers).
Guess what, it’s 2018, and the May 25 deadline is knocking on the EU’s door. So how is compliance coming for devices and interoperability? According to the European data protection supervisor, the EU’s independent data protection authority, in general, there has been “continuous and steady progress” in implementing data protection rules throughout EU institutions, bodies, offices, and agencies.
The EU’s governance authority also released a report that suggests progress looks pretty good from several angles. For instance, 66% of companies surveyed by senior management have been briefed on the GDPR. On the surface that stat seems good, but when we dig deeper, the news should be looked at with a grain of salt.
Let’s be clear, a majority of those surveyed for this report are based in the U.K. where awareness is bound to be the highest. And nearly 40% that appointed a DPO to oversee GDPR compliance have assigned an existing employee. What’s more, keep in mind, most organizations have implemented or are implementing a breach notification procedure and an incident response plan. About 63% are planning to undertake GDPR training.
However, it’s not all rosy. There is still a long way to go in terms of compliance. For instance, IT governance says almost half of those responsible for GDPR compliance lack at least one formal or relevant qualification.
About 68% reported they have not yet updated their processes to comply with data subject rights. Almost 50% of companies have not yet allocated a GDPR staff awareness budget.
And, speaking of budgets for GDPR compliance, they’re pretty low, according to this survey, at just around $6,200. Actually, one of the biggest challenges for compliance is a shortage of resources—monetary and otherwise.
About 50% of organizations say they’re struggling to obtain the right level of competence and expertise to implement their GDPR project. In fact, the biggest hurdle is implementing the appropriate technical and organizational measures to secure data.
Clearly, there is still a good amount of uncertainty about what some of the GDPR’s provisions mean and/or how they should be applied. This uncertainty can be costly.
As the two-year grace period for GDPR compliance comes to a close, too many businesses remain unprepared, and they will pay for it. Compliance infringements can result in fines up to €20 million, which is more than $23 million, or 4% of a company’s total annual turnover, whichever is greater.
And yet, despite these hefty potential fines, it’s being reported in the U.S. by Experian that only 9% of U.S. multinational companies have prepared for the new GDPR requirements. One of the problems may be that some U.S. companies aren’t aware that they need to comply. You don’t necessarily need to do business in Europe to fall under the jurisdiction of the GDPR.
If you’re wondering just who the GDPR affects, I’ll give it to you straight from the source.
According to the EUGDPR.org, “The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
Basically, if a company has any information on EU subjects, it must comply with the GDPR’s rules. If your company falls under this umbrella and you have questions about compliance, go up and read the GDPR FAQs page on EUGDPR.org.
There are also companies offering solutions that help businesses meet the EU’s latest security requirements. One example is from NICE, a provider of enterprise software solutions. NICE recently released an end-to-end GDPR compliance solution that’s designed for contact centers.
First and foremost, the solution helps companies meet the security aspects of the GDPR to help protect sensitive data. The solution also simplifies the implementation of data governance processes to support customers looking to achieve greater transparency and comply with the GDPR requirements.
It offers dashboards that monitor data governance processes and can notify users about potential breach or vulnerabilities. It also helps businesses satisfy the request of customers looking to exercise their “right to access” and their “right to be forgotten.”
This type of solution has a lot of promise for those businesses that need direction and are struggling to manage the GDPR requirements. It’s clear, the penalties for noncompliance are hefty, so I’d recommend my readers conduct their due diligence.
For those that don’t have to comply with EU’s GDPR directive, it’s really important to think about how interoperability will impact manufacturers ultimately as time progresses here in the U.S.? As I mentioned in my last column, companies really need to take a closer look at how the data that is transmitted between all these things we talk about every day will change and what that means for smart homes, cities, cars, and so much more.
It’s very clear there are many lessons to be learned here. And at the very least every company should be asking how they improve data security. Data and device security, alongside interoperability within the IoT ecosystem, are perhaps some of the most crucial topics in the industry today. That’s why no industry is immune from data interoperability.
Want to tweet about this article? Use hashtags #M2M #IoT #blockchain #EU #security #GDPR #data #interoperability #AI #analytics #machinelearning #bigdata #Experion #NICE #cybersecurity