Tips for complying with GDPR, avoiding big fines

In its first year, the EU’s General Data Protection Regulation (GDPR) yielded nearly 90,000 data breach notifications and two notable fines for companies that regulators said lacked compliance with the data privacy rules.

Google was fined €50 million ($55 million) by French officials, and British Airways faces a fine of £183 million ($223 million) in the UK. Those are the big names; other smaller fines have been handed down since the regulation took effect in May 2018.

GDPR gives EU residents more knowledge of how companies collect, protect, and use their personal information. The rules stretch beyond the EU; they may apply when data of non-EU citizens is processed or goods and services are offered to EU citizens but no payment is received. Organisations with European workers, third-party contractors, or customers can potentially be subject to the regulation.

Failure to comply with GDPR can carry a fine of up to €20 million ($22 million) or 4% of a company’s annual, global turnover, whichever is greater.

A recent survey shows that many businesses still have steps to take before they are in compliance.

Global advisory firm RSM found that 57% of companies are confident that they follow GDPR rules. Thirty per cent said they’re not compliant, and the remaining 13% are not sure. The respondents are individuals responsible for GDPR compliance in their organisation. The survey included midsize businesses from 34 countries.

Steven Snaith, technology risk assurance partner at RSM UK, offered steps that organisations can take to get caught up on GDPR compliance or to ensure they remain compliant. The first two, he said, are the most labour- and resource-intensive. They could be remembered by the phrase “map and gap”:

Know where your data sits. “GDPR’s all about data, so organisations need a good level of awareness in terms of where that data sits in an organisation,” Snaith said. “For example, is it in IT systems, paper records, where is it being transferred to, from A to B to C.” The data environment is quite complex at many companies, especially those that use third-party providers for payroll or IT, so a good mapping of all data and knowing what kind of data falls within the scope of GDPR is a first step to ensuring compliance.

Perform a gap analysis. The second step, Snaith said, is to overlay that “in-scope” data with GDPR requirements, so you know things such as how long data is kept, how it is being secured, and whether you have the proper controls in place. Finding these gaps can make a data breach or GDPR complaint less likely. Such analysis should be repeated, Snaith said, because business processes or other changes could lead to gaps being created. “If you don’t keep that process up to date, there can be a false sense of assurance,” he said.

Develop incident response plans. Create a plan if you don’t have one, or re-examine and refine your plan if you do. For instance, one GDPR requirement is that companies notify authorities and affected individuals of high-risk security breaches within 72 hours of discovering the event. “If your organisation is the victim of a data breach, you must make sure you’ve got a good response process in place in the event that breach [happens],” Snaith said. Incident response can also include interaction with media and customers after such an incident. In many ways, he said, an organisation’s response to a data breach is just as important as trying to prevent one from happening in the first place.

Obtain third-party assurance. The vendors you use should have the same level of care with data that you do, Snaith said. This is easier said than done, but System and Organization Controls reports in the US or International Standard for Assurance Engagements reports in the UK are good ways to start. In the survey, 34% of businesses don’t understand what procedures are required to ensure that third-party supplier contracts are compliant.

Continue to test systems and educate employees. Strong compliance practices include regular vulnerability testing of systems and keeping staff informed. For instance, data breaches are less likely to occur if employees have training on setting up strong passwords or on identifying phishing emails.

GDPR has benefits and drawbacks for companies, according to the RSM survey. For example, 73% have improved the management of customer data since the regulation took effect, and 58% say GDPR has encouraged new and innovative uses of data. Sixty-two per cent say GDPR has caused increased investment in cybersecurity, and 37% say that GDPR compliance costs have slowed growth.

— Neil Amato (Neil.Amato@aicpa-cima.com) is an FM magazine senior editor.