Ready or not, the dreaded deadline for compliance with the EU’s daunting General Data Protection Regulation (GDPR) is here.
According to a recent survey of more than 300 C-level security executives by Netsparker, companies are taking GDPR very seriously. While many still aren’t compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), almost all (99 percent) of the executives surveyed said their organizations were actively involved in the process to become GDPR-compliant. Additionally:
Ferruh Mavituna, Netsparker’s CEO, tells Channel Partners there will be many who will not be completely compliant by the deadline, but “it’s not like GDPR is knocking doors and checking compliance.”
“Similar to PCI (Payment Card Industry Data Security Standard) or insurance, unless an issue arises, many details of GDPR compliance will not be scrutinized,” he said. “I’m pretty sure there won’t be an additional deadline; however, GDPR will be a soft launch, and they already said that they will warn first and take actions later. So companies will be warned before fined unless there is obvious abuse.”
Tim Vogel, Evolve IP‘s vice president of compliance and security, tells Channel Partners the first item data-protection authorities (DPAs) will focus on will be breach notification.
“They seem to be greatly concerned with this area,” he said. “Companies should make sure they have a defined and tested process in order to comply within the 72-hour (notification) requirement. Even if a company cannot identify specific subjects that may have been impacted by a breach, it will be better to notify their DPA of the occurrence and let them know that additional investigation is happening rather than say they are waiting until all the facts are known.”
If an organization hasn’t reached compliance, it’s important to “make sure you have a program in place and are showing progress towards compliance, even if you won’t be finished prior to the deadline,” Vogel said.
“Eighty or 90 percent of the way is much better than trying to wait until everything is perfect,” he said. “It took Evolve IP, Evolve IP EU, and Evolve IP UK about a year to get to the position of being ready for GDPR.”
Becoming compliant is not something that you can pay for, but it is a process that your team must work on, Mavituna said.
“Most of the tasks can only be done manually, and by people who are familiar with the system, such as documenting and evaluating all existing processes and modifying/fixing when something needs to be changed,” he said. The only way to speed up the process of becoming GDPR compliant is to …