Organizations face “a year of reckoning” in 2018, according to Forrester, which predicts that the EU General Data Protection Regulation (GDPR) could cause havoc.
Even though the GDPR is a European law, it applies to any organization in the world that collects EU residents’ personal data. This fact has escaped the attention of many US companies, with the majority of them admitting that they’ve made no plans to prepare for Regulation.
Reports such as this have almost certainly influenced Forrester’s forecast for 2018, which claims that 80% of organizations won’t be compliant with the GDPR by the May 25, 2018 deadline. Of those, half will take steps to comply but won’t meet all the Regulation’s requirements, and the other half will intentionally ignore the Regulation.
Those that ignore the GDPR will have “weighed the cost and risk and [taken] a path that presents the best position for their firms,” according to Forrester.
The GDPR is about more than avoiding fines
Forrester doesn’t disclose how it reaches these conclusions, so it’s easy to dismiss its report. However, many of its predictions for 2017 came true, so you’d be forgiven for trusting whatever method Forrester uses.
It may well be the case that many organizations are treating the GDPR as a cost–benefit exercise, but it doesn’t mean they will get away with it. Even in a scenario in which an organization doesn’t prepare for the GDPR and avoids a fine, it still loses: it falls increasingly behind in its data protection practices, it becomes a ticking time-bomb for a data breach, and it will face the ire of frustrated data subjects.
The final point is perhaps the most salient: the primary purpose of the GDPR is to protect individuals’ data protection rights. Organizations are required to give people more control over the way their data is collected and maintained, and give them more information on rectifying, erasing, and accessing data stored on them.
Organizations that do this effectively will gain a strong reputation for data protection, which will soften the damage of data breaches – which most people concede will happen at some point.
A ‘wait-and-see’ approach
Forrester’s report makes a curious concession that hints at the folly of ignoring the GDPR. It says that organizations’ approach to the GDPR will be “fluid” and “any successful case against a well-known giant will change the cost-risk balance.”
It’s essentially saying that organizations will take action as soon as a supervisory authority levies a massive fine against an organization that suffers a data breach. This echoes speculation that supervisory authorities will look to make an example of a big company as soon as possible to underline the seriousness of the GDPR (which, incidentally, the UK Information Commissioner’s Office has dismissed as “scaremongering”).
But even if, in a best- (or worst-) case scenario, a conglomerate suffered a data breach the day after the GDPR takes effect, it would still take months or years for the relevant supervisory authority to investigate the incident and announce the size of the fine. In the meantime, those who have adopted the ‘wait-and-see’ approach will blithely assume that the GDPR is a nonissue until they suffer a data breach and receive enormous penalties for flagrantly disregarding the Regulation’s requirements.
This isn’t a risk that any organization should take. Think of the GDPR less like a hurricane steering ominously close to your borders and more like a steady rise in water levels. You know it’s coming, it’s a permanent change, and everyone will be affected. If you prepare for it in time, you’ll be more than ready to meet the challenge, but if you ignore it, you’ll have a huge mess to clear up and still have to invest in protective measures.
Prepare for the GDPR
With six months until the Regulation takes effect, and many organizations waking up to the reality of the Regulation, there has never been a better time to invest in GDPR training.
Our Certified EU General Data Protection Regulation Foundation (GDPR) Training Course provides a comprehensive introduction to the GDPR and a practical understanding of the implications and legal requirements for organizations.
This one-day course is delivered by an experienced data protection practitioner, and is suitable for directors or managers who want to understand how the GDPR affects their organization, employees who are responsible for GDPR compliance, and those with a basic knowledge of data protection who want to develop their career.
We’ll be running this course in Boston, MA on November 28, 2017, with future courses in Boston again and New York.