Starting in May 2018, if you operate an enterprise or deliver services to customers in Europe – even if you are not located in Europe – your organization must be compliant with GDPR.

If you decide not to comply with the requirements imposed by the legislation, the regulators will be able to slap you with a hefty fine that corresponds to 4% of your top line, up to 20 million Euros (25M USD).

There are many legal requirements related to how you should protect your data. These are detailed in 99 articles and you must get a grasp of them as soon as possible as some of them demand profound changes in the way you operate as a business and how your information system is currently designed.

It is worth mentioning as well that there will be budgetary impacts not only due to the compliance project but to the very fact of operating in a GDPR-governed world. As an example, in terms of headcount, you will have to hire and/or designate a Data Privacy Officer to oversee compliance in terms of operations and for all future projects that involve customer data. To speak plainly, it means that 100% of your projects will have to be assessed for GDPR exposure before you can move on with them. This is not optional; it is a mandatory requirement if your organization has more than 250 employees.

Here are five challenges will you will face:

  1. This is not an IT or a security project, it is a corporate and transversal project that will require a lot of input from the various system users, especially on the business side, as only they know if their systems contain regulated data. Moreover, without proper top executive sponsorship, this project won’t be easy to deliver on time; executive support will help ensure every team pitches in.
  2. You need to map where the regulated data are located across both the business and the information system. As an example, a non-specialist might not understand that applications are not self-contained or autonomous. These applications rely on multi-tiered sets of technology and systems that are on premise and in the cloud, within both your organization and those of your business partners, and are used to consult, transmit, display, query, transform, store, backup and replicate the data.  In short, you need to map not only the data itself but also how it travels around, through its entire lifecycle.
  3. Once you understand the problem and the gaps, you need to figure out how to fill them. This is probably one of the challenges where there is a plethora of solutions available to you, should you be willing to buy them. Unfortunately, they don’t come cheap but they can save a lot of time if they are adapted to your specific technology context.  Technology, like encryption proxies that will tokenize the data and anonymized specific fields in a transparent manner to legitimate users, can save many weeks if not months of software redevelopment.
  4. Once you have the plan, you need to procure both the technology and the expertise. It’s unlikely that your current team have all the required knowledge to implement it on their own.  Even if they can, if they haven’t started, this is a huge project on top of everything else you already pay them to do.  For many of our clients, developments were externalized in the past, hence, they don’t even have the in-house knowledge of the application to fix this. At the risk of stating the obvious, the sooner you are done with the 3rd challenge, the more time you will have left to fix the situation.
  5. Manage an important cultural change. GDPR is not only about the information system, it is actually a lot about how we work with the data our customers provide us with.  The way people have been working up to now will be impacted. There will be frustration, and unless you’re a  large EU organization that has already had similar challenges before GDPR, it won’t be as simple as it was to continue to work ‘as is’.  Do not underestimate people’s resistance to change.

The good news is that you are not alone and you are not the first organization to face this challenge. There is a lot of best practice and technology readily available, but you better hurry up because this is not a 3-month project that you can wing, by plastering 3 pieces of software on top of your existing system.

Much like the state of California, the European Community is taking GDPR very seriously. Actually, much more seriously than our American friends, as they regulate how you protect the data, not only obliging you to “disclose” when there is a breach – and you are in for more than a slap on the wrist if you don’t meet your legal obligations.

Should you want to learn more on how we can help you, please do not hesitate to reach out to us.

Martin Dion (CISSP/CISM)
VP EMEA Service Delivery

Kudelski Security Team