The General Data Protection Regulation (GDPR) went into effect on May 25, 2018, and within 24 hours Google and Facebook had both been targeted with non-compliance complaints. There’s a lot of confusion about GDPR—who it applies to, how to become compliant, and what happens afterward—and businesses are scrambling to get their arms around the whole issue.
We talked with Wayne Varga, Director of Security Services at SD7 Technology Group, to get his take on GDPR. SD7 provides security and compliance consulting and technology outsourcing. Wayne oversees the security consulting for SD7’s clients. Here’s what he told us about dealing with GDPR after the May 25 deadline.
GDPR Compliance After May 25
TCT: The GDPR Deadline was May 25, 2018. How did you work with clients on GDPR leading up to then?
Wayne Varga: Our work with clients hasn’t really changed since the May 25th deadline. But there’s no validation. Compliance is an ongoing process with GDPR. There are no regular annual reporting requirements, there is no prescriptive standard for compliance with GDPR. There is nobody to report to, saying that you’re compliant. It’s just that after May 25, companies can be called out for being non-compliant. Enforcement is generally by complaint or lawsuit. Therefore, how we work with clients hasn’t changed since the deadline passed.
GDPR is pretty nebulous. For example, with PCI, the standard is specific. It says that you have to change your passwords every three months. GDPR doesn’t say anything like that. Instead, it talks about nebulous concepts—for example, you need to have secure authentication, you have to have a privacy policy, and you need to have reporting on your compliance status. But it doesn’t specify details about how to do those things.
So it requires an ongoing effort. It requires expertise that comes from someone who has been doing compliance for a while.
TCT: What is the biggest issue you’re seeing from clients right now?
WV: There are two related problems. One is, there are a lot of clients that think GDPR doesn’t apply to them, simply because GDPR is a European standard, and the client operates out of the U.S.
But GDPR applies to any company that provides any kind of good or service to someone who lives in the European market. So that effectively applies to anyone who has an online presence. If there’s a possibility that someone from Europe could go to their website and access information on the site, then GDPR applies to them.
The other problem is on the other extreme, where people over-analyze GDPR, and they think they have to spend a whole bunch of time and money to become compliant. That’s not the intention of the standard. It’s a lot easier to become compliant than people think. In general, if people are following standard security practices, there are a small number of additional items they have to do to comply with GDPR.
TCT: What’s the best way for a company to get started with GDPR compliance?
WV: There are a couple of things to do. One is to read up on what GDPR is. There are a lot of good sources online, and I recommend reading several of them. Don’t download the GDPR standard—it’s really large. It has 99 different articles describing what the scope is, what the affected organizations are, what their obligations are.
After that, talk to people who are already helping you with security.
TCT: What happens if your company gets reported?
WV: The idea that a company gets reported just means that you have the opportunity to respond. And that’s really what GDPR compliance is all about. It’s all about being prepared so that if you are reported, you can respond immediately to resolve the problem.
The best defense against a report or a lawsuit is to be ready to show compliance—to show your record-keeping, reporting, your breach policies and security practices.
TCT: What do you think companies should watch for with GDPR?
WV: Well, a couple of things—and, of course, it’s hard to predict the future. But companies should expect to see an increasing number of lawsuits and other compliance actions. They should expect to see the level of hype around those actions rising over the next six months.
We should also expect to see GDPR being rolled into more of a general security offering for a lot of companies—just rolled into “business as usual.”
You have probably already seen notices from just about every company you have dealt with over the last few years. You probably get email notices saying, “We’ve revised our privacy policy to be GDPR-compliant.” In my case, I’ve received notices from companies I haven’t dealt with in years. You should expect to see even more of those coming in the next few weeks—and then regular updates over time.
TCT: Any advice to companies that aren’t GDPR compliant yet?
WV: GDPR is as much of a legal issue as it is a security issue. Proper GDPR compliance often requires consulting a lawyer or other legal consultant. Because, to a degree, it has the same weight as other laws. A lot of GDPR reinforcement is by lawsuit, so having good legal counsel is just as important as having good security counsel.
TCT: Thanks for your time, Wayne!
Gain Control of GDPR Compliance
TCT Portal is built to make compliance manageable. GDPR doesn’t need to be a stressful, confusing mess—TCT Portal can help you make sense of your compliance processes, tasks and documentation. Stop sweating GDPR and gain control of your compliance tracking.
Schedule a personalized demo to see the difference TCT portal can make for your company.