Remember the hullabaloo around GDPR? Well, it went into effect a little over a month ago and already there is litigation pending with Supervisory Authorities in 4 EU countries! The first complaints filed pertaining privacy concerns affected by the EU regulation is aimed at several major companies, all of which are U.S. based.
The First GDPR Complaints
Complaints have been filed against several U.S. based companies. The suits range in size from one litigant to class actions, representing 9,000 to 10,000 EU data subjects. As these stories unfold, no one knows how the lawsuits will progress or whether any of these companies will be fined by an EU Supervisory Authority. However, GDPR continues to be an initiative affecting many companies.
What we do know from these early lawsuits are three things:
- U.S. companies are not going to be immune to GDPR litigation
- Even if no fines are levied, each of these companies must devote expensive legal resources to defending against these suits.
- If you are a U.S. based company handling information about EU data subjects, you need to make sure you are ready for GDPR, including being able to demonstrate your compliance should an EU Supervisory Authority make an inquiry.
GDPR Preparation Basics
Every company has to consider the impact of the GDPR on its own business requirements and operations. There are some basics that stand out as good fundamentals for GDPR efforts and privacy programs, in general.
Security Risk Assessment: Article 32 of the GDPR outlines appropriate elements of a security risk assessment process to ensure controls and risk are appropriately designed and implemented. An effective risk assessment process accelerates the identification of the linkage between risks and internal controls, reducing GDPR compliance gaps and improving risk mitigation strategies.
Breach Response: Article 33 of the GDPR outlines specific requirements for notification of a personal data breach to the supervisory authority. Obviously, the goal of any security team is to prevent these kinds of breaches, but breaches can still occur. Accomplishing this objective will require a combination of processes and technical capabilities including security incident management, security operations and breach management, as well as tools for deep monitoring and analysis of system related security data, such as system events, coupled with strong forensics capabilities.
Data Governance: The GDPR highlights that data governance is a crucial element of effective data management practices. Organizations must protect personal data in a number of different ways, and must be able to demonstrate due diligence in keeping accurate records of processing activities. A basic element of data governance is controlling who has access to personal data within the organization. These requirements are in keeping with Identity and Access Management (IAM) and Data Governance best practices.
Compliance Program Management: At the end of the day, GDPR is a regulatory issue. A compliance program should provide the framework for establishing a scalable and flexible environment to document, manage and test your organization’s policies and procedures to comply with the GDPR.
Organizations with these basics in place can have a stronger foundation to address emerging issues, creating a more proactive and resilient environment while reducing the cost of GDPR compliance.
For more information, check out RSA's resources on GDPR - specifically this paper on GDPR Compliance. For RSA Archer Community members, we have several Practitioner Tours highlighting the RSA Archer privacy use cases - Data Governance and Privacy Program Management.