What does EU’s GDPR mean for manufacturers?
June 14, 2018What GDPR means to you: No free passes, nowhere to hide.
If you thought security and compliance mandates were already complex, hang on. A new era of accountability arrived on May 25th. And, no matter your industry or location, you need to be ready. Investing in technology and upgrading your current solutions are some of the early steps many manufacturers are taking as they prepare for compliance with the regulation.
Although the General Data Protection Regulation (GDPR) was passed by the E.U. Parliament, the new privacy law is expected to have a major impact on businesses world-wide. The law applies to both “controllers” and “processors” of data, meaning any organization that stores, handles, or processes personal data of E.U. citizens in any way. This also covers E.U. residents who now may be residing outside of the E.U., thus creating an even larger applicable population.
Even more impactful, though, may be the change in mindset that the legislation will trigger, some industry pundits contend. Consumers will be empowered. They will have a more unified voice to demand high security and accountability from businesses of all types, from retail to health care. GDPR is just the beginning of a heightened focus on the use and protection of data—placing responsibility squarely on businesses who generate and capture data—as well as those who use the data. And, the fines for infractions are steep.
If you are not following the GDPR discussions, now is the time to become immersed in the details of the regulation and examine your own data and security policies. Investing in modern software, including the most recent version of your ERP, will also be an important consideration as you map your data strategy.
Exactly what is GDPR?
The regulation was enacted by the E.U. Parliament in 2016 and went into effect May 25, 2018. It aims to provide a high and consistent level of data protection to all E.U. citizens, no matter where they reside. Organizations that don’t comply face heavy fines of up to 20 million euros or 4% of their global annual revenue, whichever is greater. The regulation covers, among other things, how you collect personal data, and what you must do if you experience a data breach. Turn to qualified legal and data experts who are thoroughly familiar with the GDPR for details, as they apply to your organization.
A report from IDC points out that GDPR does not specifically tell organizations how to conduct themselves. “This impression is deliberate: it forces firms to decide how they should act — and what processes and technologies they should deploy — to achieve compliance.” This makes GDPR more complex and challenging to address than prescriptive standards such as PCI-DSS. “Companies must take risk-based decisions, which means the depth and understanding of knowledge of the multiple factors affecting risk must be sought. IDC estimates that GDPR is 10 times more impactful on most organizations than PCI-DSS has been to date,” writes author, Duncan Brown, in the report.
In addition to spelling out the many data applications covered by the regulation, the IDC report also contends there is an opportunity. “If the stick wielded by GDPR is substantial, then the carrot is that compliant companies will be protecting the personal data of customers, employees, and citizens in an effective and socially responsible manner. There is also an opportunity to create competitive advantage through being best in class in managing sensitive data types.”
Budget for investments
To comply—or turn data security into a differentiator–be prepared to make investments. You will likely need to upgrade or modernize your processes to prevent security breaches, track opt-ins, notify those affected if there is a breach, and properly collect and use personal data of customers and prospects. These are not simple tasks to execute in today’s complex, ecommerce-driven world. Outdated technology or manual processes will likely fall short of demands. Attempting to cobble together solutions from legacy solutions may prove to be a slow, laborious process and ineffective. The steep fines imposed upon companies who do not comply make “doing nothing” highly risky. Even small-to midsized businesses (SMBs) in the US are expected to comply.
A recent survey conducted by the International Association of Privacy Professionals (IAPP) indicates that Global 500 companies will spend a combined $7.8 billion over the next year preparing for GDPR compliance. Some of those costs will come from hiring consultants, assigning fulltime staff, as well as deploying technology.
Some surveys and predictions point to impact. “One responder to a UK survey predicted that GDPR would cost their company £5 million to become compliant, and £1 million a year to maintain it. The predictions are not all dire. The UK Ministry of Justice projects that “a greater emphasis on compliance regulations will save between £42m and £124m in fines imposed by the ICO.”
Companies world-wide have been preparing, upgrading their technology, and improving data processes, in anticipation of the regulation going into effect May 25. Some software providers have been committing vast resources to making sure their solutions are GDPR compliant. Innovations are being built into upgrades and new solutions are being developed which will make data security a day-to-day routine, simpler to execute, and more reassuring to the public.
High financial and operational stakes are driving the focus on GDPR requirements. First, customers demand reassurance that their data is secure. In fact, having a highly secure system can be turned into a differentiator that builds customer loyalty.
But, the investment required to meet compliance mandates may be moderate—or major, depending on the current state of processes and systems. Companies operating on outdated solutions will require more work to be up-to-date. An investment strategy and phased compliance schedule may be helpful. That strategy might include turning to cloud deployment to avoid a large upfront capital investment and to take advantage of the monthly subscription model.
If you haven’t started working on a plan, you are not alone. Consultant firm, Capgemini, has conducted a survey and found that at the time of the survey (late 2017) 67% of respondents were aware of GDPR, but only about half had allocated budget and started to prepare for the new regulation.
The survey also indicates that 31% of those polled plan “programs to target only to comply with the mandate by the deadline. However, 28% are more proactive and optimistic. They consider GDPR as “an opportunity to gain competitive advantage.” Another 22% say GDPR will help them protect customer data. And 19% are the naysayers who consider GDPR as a low priority.
Education is an important part of moving toward data security. Now is the time to educate yourself and your team members about GPDR—and other security issues. Compliance won’t happen overnight, but investing in technology and upgrades will help you move in the right direction and improve your ability to meet GDPR mandates. You may even be able to turn your compliance into a differentiator for your customers.
If you would like to learn more about Infor solutions and how they help you stay relevant and compliant with modern demands, watch the video “Cloud Helps You Stay Modern” for more benefits of cloud computing.