GDPR: Game-changing mandate and why you need to prepare
This post begins a 3-part series on the General Data Protection Regulation (GDPR) covering what it means to you, why you need to prepare, and how investing in upgrades and modern technology helps support your efforts.
Part 1: What GDPR means to you: No free passes, nowhere to hide
By Teesee Murray, Infor VP of Digital Strategy & Cloud
If you thought security and compliance mandates were already complex, hang on. A new era of accountability arrived May 25, as enforcement of the European Union’s General Data Protection Regulation (GDPR) went into effect. No matter your industry or location, you need to be ready. Investing in technology and upgrading your solutions are some of the early steps many companies are taking as they prepare to comply with the regulation.
Although the GDPR was passed by the EU Parliament, the new privacy law is expected to have a major impact on businesses worldwide. The law applies to both "controllers" and "processors" of data, meaning any organization that stores, handles, or processes personal data of EU citizens in any way. This also covers EU residents residing outside of the EU, thus creating an even larger applicable population.
Even more impactful, though, may be the change in mindset that the regulation will trigger. Consumers will be empowered. They will have a more unified voice to demand high security and accountability from businesses of all types, from retail to healthcare. GDPR is just the beginning of a heightened focus on the use and protection of personal data—placing responsibility squarely on businesses that generate and capture data—as well as those that use the data. And the fines for infractions are steep.
If you have not been following the GDPR discussions, it is time to get up to speed, and examine your own data and security policies. Investing in modern software, including the most recent version of your ERP, will be an important consideration as you map your data strategy.
Exactly what is GDPR?
The regulation was enacted by the EU Parliament in 2016, and enforcement began May 25, 2018. It aims to provide a high and consistent level of data protection to all EU citizens, no matter where they reside. Organizations that don't comply face heavy fines of up to €20 million or 4% of their global annual revenue, whichever is greater. The regulation covers, among other things, how you collect personal data, and what you must do if you experience a data breach. Turn to qualified legal and data experts who are thoroughly familiar with the GDPR for details, as they apply to your organization.
A report from IDC points out that GDPR does not specify how organizations must conduct themselves. “This impression is deliberate: it forces firms to decide how they should act—and what processes and technologies they should deploy—to achieve compliance.” This makes GDPR more complex and challenging to address than prescriptive standards such as PCI-DSS. “Companies must take risk-based decisions, which means the depth and understanding of knowledge of the multiple factors affecting risk must be sought. IDC estimates that GDPR is 10 times more impactful on most organizations than PCI-DSS has been to date,” writes author Duncan Brown in the report.
In addition to spelling out the many data applications covered by the regulation, the IDC report also contends there is an opportunity. “If the stick wielded by GDPR is substantial, then the carrot is that compliant companies will be protecting the personal data of customers, employees, and citizens in an effective and socially responsible manner. There is also an opportunity to create competitive advantage through being best in class in managing sensitive data types.”
Budget for investments
To comply—or turn data security into a differentiator—be prepared to make IT investments. You will likely need to upgrade or modernize your processes to prevent security breaches, track opt-ins, notify those affected if you have a breach, and properly collect and use personal data of customers and prospects. These are not simple tasks to execute in today’s complex, e-commerce-driven world. Outdated technology or manual processes will likely fall short of demands. Attempting to cobble together solutions from legacy systems may prove to be a slow, laborious process and ineffective.
The steep fines imposed on companies that do not comply make “doing nothing” highly risky. Even small to midsized businesses (SMBs) in the US are expected to comply.
A recent survey conducted by the International Association of Privacy Professionals indicates that Global 500 companies will spend a combined $7.8 billion over the next year preparing for GDPR compliance. Some of those costs will come from hiring consultants, assigning full-time staff, as well as deploying technology.
Some surveys and predictions point to impact. “One responder to a UK survey predicted that GDPR would cost their company £5 million to become compliant, and £1 million a year to maintain it. The predictions are not all dire. The UK Ministry of Justice projects that “a greater emphasis on compliance regulations will save between £42 million and £124 million in fines imposed by the ICO.”
Companies worldwide have been preparing, upgrading their technology, and improving data processes, in anticipation of the regulation going into effect May 25. Some software providers have been committing vast resources to making sure their solutions are GDPR compliant. Innovations are being built into upgrades, and new solutions are being developed that will make data security a daily routine, simpler to execute, and more reassuring to the public.
High financial and operational stakes are driving the focus on GDPR requirements. First, customers demand reassurance that their data is secure. In fact, having a highly secure system can be turned into a differentiator that builds customer loyalty.
But, the investment required to meet compliance mandates may be moderate or major, depending on the current state of processes and systems. Companies operating on outdated solutions will require more work to be up-to-date. An investment strategy and phased compliance schedule may be helpful. That strategy might include turning to cloud deployment to avoid a large upfront capital investment and to take advantage of the monthly subscription model.
If you haven’t started working on a plan, you are not alone. Consultant firm Capgemini conducted a survey in late 2017, and found 67% of respondents were aware of GDPR, but only about half had allocated budget and started to prepare for the new regulation.
The survey also indicates that 31% of those polled plan “programs to target only to comply with the mandate by the deadline. However, 28% are more proactive and optimistic. They consider GDPR “an opportunity to gain competitive advantage.” Another 22% say GDPR will help them protect customer data. And 19% are the naysayers who consider GDPR a low priority.
Education is an important part of moving toward data security. Now is the time to educate yourself and your team members about GPDR—and other security issues. Compliance won’t happen overnight, but investing in technology and upgrades will help you move in the right direction and improve your ability to meet GDPR mandates. You may even be able to turn your compliance into a differentiator for your customers.
To learn more about Infor solutions and how they can help you stay relevant and compliant with modern demands, watch the video “Cloud helps you stay forever modern” for more benefits of cloud computing.
Teesee Murray leads the global Digital Strategy & Cloud Team that is helping Infor customers pivot to the cloud and modernize their technology. She was recently recognized with a 2018 CIO “Ones to Watch” Award from IDG, honoring rising stars in IT.
- North America