GDPR: Non-Compliance Is Not An Option

Visit any reputable website today, and you may encounter a pop-up similar to the sample below:

This is not a coincidence, as it is mandated by EU General Data Protection Regulation or GDPR which took full effect last May 25, 2018. To simplify implementation of GDPR rules, many mainstream companies operating not only in EU-member states but also with other Non-European countries choose to adopt a single Terms of Service for everyone. That means data protection of user data is applied not only for EU citizens but the rest of the organization’s stakeholders.

At the date of this writing, there are still many companies which are in their process of migrating to a GDPR compliant system, policy and procedures. In fact last May 25, only 15 percent of the expected organizations were 100% compliant.

We summarize the talking points below in order to meet the requirements of GDPR:

Compliance is not only for short-term, organizations are compelled to plan beyond it.

Adherence to GDPR is not only for the short term but for firms to plan ahead in order to maintain certification of compliance. This is not achieved by just purchasing a credible cyberdefense software, hardware or service to secure the network and data of the organization today. Promotion of high-level employee engagement activities is also vital to promote alertness and sense of responsibility as part of the organization. Just throwing the rulebook containing the do’s and don’ts to the employees will just result in a toxic atmosphere. GDPR non-compliance may come from many aspects of an organization, from its board-of-directors down to the entry-level employees. This is because GDPR operates under the assumption that a company invests to improve data handling and storage of customer information. The long chain starts with its very basic component, which is trust. Trust cannot be gained overnight but can be lost overnight. Lack of long-term planning with how to maintain compliance endangers not only the organization’s profitability but also acceptance of the public. Once the trust of the public is lost, the organization has nothing to go but towards a sure downward spiral. The Diginotar’s filing of bankcrupcy due to the 2011 controversial security issue it went through is one of the examples of firms that went out-of-business due to loss of public trust.

Expect GDPR agents or its enforcing arm to conduct regular compliance checks.

EU is serious about regulations they impose to protect their member states. They will penalize any organization that violates EU rules, and they have the track record to prove that even before GDPR even existed. Facebook was fined 100 million due to WhatsApp acquisition, Microsoft was fined 561 million due to browser ballot non-compliance. Even the almighty Google is about to pay $11 billion  due to an alleged antitrust issue with Android.

Plan how to respond to a data breach, and how to communicate it to the stakeholders

Organizations need to be transparent to their stakeholders in the event that a data breach, server hack or cyber attack against their system. Firms need to open a communication line and timely update the stakeholders, as leaving them in the dark will promote distrust. Organizations that defy the need to use standard encryption technologies is trouble just waiting to happen. If the breach or data leak happens because of the use of defective encryption, they have to tell the public about it. Secrecy of a cyber attack is against the obligation of companies to secure the data of their customers. The longer wait, the more possibility of damage users need to absorb.