One of the most notable events in the world of security and privacy in 2018 was the arrival of the European Union’s General Data Protection Regulation, or GDPR. The new rules took effect in May 2018, and represent perhaps the most wide-reaching, comprehensive data protection regulation in history. It applies not only to companies in the EU, but also to all organizations that process personal data about EU citizens.
The GDPR aims to give consumers more control over the personal data companies collect about them, and it covers conditions of content, data storage methods, data breach notifications and consumers’ ability to access and erase their data. Achieving compliance requires some companies to significantly alter the processes and technologies they use to manage data.
However, while the GDPR marked a dramatic change on paper, recentsurveys suggest it has not had as much of an impact in the real world as one might think. Why? Because a large percentage of companies are still not compliant.
In a recent survey from the International Association of Privacy Professionals (IAPP), less than half of respondents said they are fully compliant with GDPR. Nearly one in five participants in the survey, the IAPP-EY Annual Governance Report 2018, said they believe full compliance with GDPR is impossible. Why are so many companies not yet compliant with GDPR?
Adhering to the GDPR is not optional, as companies can receive a hefty fine for noncompliance. Becoming compliant, however, can be complex and require substantial investments and changes to processes and technologies. Compliance with the GDPR is especially critical for data centers.
Why The Low Compliance Rate?
If the GDPR is so essential, why are so many companies not yet complying with it?
The GDPR isn’t the first data protection regulation ever enacted. For example, there was the 1988 Data Protection Act in the United Kingdom. Various states, including Alabama, Colorado, Vermont and others, have passed data laws. There are also requirements such as the DFARS clause on cybersecurity, which applies to companies contracting with the U.S. government. The GDPR may be the most wide-ranging rule of its kind yet, though, which can make it challenging to adhere to.
Compliance with the GDPR may require substantial shifts in the processes and technologies companies use to manage information, especially those that handle large amounts of it like data centers do. Companies that are ahead of the curve may have already made meaningful changes to the way they operate, but for the others, the most significant periods of change are still ahead.
Compliance with the GDPR may require substantial shifts in the processes and technologies companies use to manage information.
To meet the requirements of the new rules, organizations will need to have granular control over their data. They must set up infrastructure that enables them to respond to requests from consumers to access and erase their personal data.
They also need to set up documentation and reporting processes that enable them to prove they obtained consent to collect and use data, as well as document other compliance measures. Organizations should set up methods of communications with consumers to inform them of how they plan to use their data and alert them within 72 hours if a breach occurs.
GDPR also had a significant financial impact on companies in 2018 and will continue to affect businesses in the years to come. According to the IAAP survey, firms have spent an average of $1.3 million on GDPR compliance and expect to spend an additional $1.8 million.
Another potential issue is a lack of awareness among small businesses, although this is unlikely to be the case with data centers. An International Data Corporation report from April of this year found about half of small businesses outside Europe were unaware of GDPR. Midsized businesses had much greater awareness around the world.
Why Is Compliance Important?
Compliance with GDPR is vital for a wide range of organizations — any that deal with the personal data of EU citizens. It’s especially crucial for data centers.
GDPR will cause changes not just for individual businesses, but also for entire economies. These transformations began in 2018, but they’re far from over. Data centers play an outsized role in GDPR compliance because they are the organizations that own the assets for storing information. Data center managers are often among the few people who understand where all these records live. They need to perform a lot of the functions that enable GDPR compliance.
Organizations that don’t comply with GDPR, including data centers, could also face severe penalties. However, regulators may initially be more forgiving in their enforcement as businesses get used to the new requirements.
They may be less lenient with data centers, though, since they handle more substantial amounts of information and are experts in data management. Failing to meet GDPR requirements could result in a fine of €20 million — equivalent to approximately $23 million — or 4 percent of annual global revenues, whichever is higher. Data breaches can be expensive even without fines, but noncompliance with GDPR increases the financial risks even further.
Of course, compliance with GDPR also has benefits for the customers of data centers. The rule should help protect consumers’ personal data from misuse and give them more control over it.
Compliance with GDPR requirements could be a selling point for data centers, as it improves their reputability and shows they can provide the enhanced protection and flexibility GDPR requires. Even for centers that don’t have to comply because they don’t handle the personal data of EU citizens, adherence with GDPR could still be beneficial.
Achieving compliance with GDPR may be challenging, but the benefits outweigh the risks. Meeting the requirements of GDPR is essential for many different types of organizations, but is especially crucial for data centers, which play a central role in the protection of personal data.
To achieve compliance with the new requirements, data centers may need to make substantial adjustments, depending on the technologies and processes they used before the rule went into effect. To ensure compliance and a smooth transition, data centers should:
- Appoint staff to oversee GDPR compliance and clearly define the role is vital for ensuring a smooth transition
- Collaborate across departments and provide transparency within the organization related to data protection
- Prepare to make changes and establish systems to meet GDPR requirements and respond to consumer requests
- Create plans to ensure ongoing compliance and leave room to adapt their processes to potential changes in requirements
- Ensure all third-party vendors are also compliant
Thanks to GDPR, 2018 marked the beginning of a sea change in data protection and privacy rules. The real-world changes, though, are only just beginning to occur, as many companies still aren’t following the new rules.
However, compliance with GDPR can have substantial benefits both for consumers and businesses that handle personal data. It’s crucial for these organizations, especially data centers, to take steps to ensure they’re adhering to the requirements of GDPR.