Data is the lifeblood of every company.  Knowledge of your customers and the ability to use that knowledge to create better new products and customer experiences is how enterprises survive and thrive in the 21st century. 

But that data must be protected. As we’ve seen from high profile breaches at large organizations like Equifax and the NSA as well as many smaller companies, large, well-funded and organized threat actors are taking advantage of increasingly sophisticated tools and techniques to exponentially grow business risk. 

Globally, governments have taken notice and have introduced new regulations requiring organizations to employ new methods designed to safeguard customer and employee data from not just cyberattacks, but also misuse of the data.

As the threat and regulatory landscapes rapidly evolve, new data protection regulations introduce significant and growing operational risk as well as new business risks.

What is GDPR?

The General Data Protection Regulation is the 2016 data privacy law enacted in the European Union (and likely the UK as well). After a 2-year grace period, enforcement will begin in May 2018, and at that point, up to 4% of global company revenue and unlimited liability is at stake for US companies with European customers.  Here are some of the new or enhanced key requirements that will be most challenging to handle.

GDPR: Risk, Opportunity or Neither?

Regulatory Risk

Many people believe that GDPR applies only if a US organization has a physical presence in Europe, but this is not true.  If an organization has customers or employees in Europe or accept EU resident data, then GDPR applies. But not all risks are created equal. 

The headline is that after May 2018, up to 4% of global company revenue and unlimited liability is at stake for every US company with EU customer or employee data, but actual penalties will depend on many mitigating or aggravating factors.

• Extent to which the company is pursuing a privacy/security by design strategy
• Quantity of personal data
• Potential breach impact (nature of the data)
• Willful or accidental misuse of personal data by collectors and/or processors
• Company brand visibility
• Etc.

Unfortunately, it is difficult to assess this risk up front; a GDPR readiness and risk assessment is required to establish the risk cost equivalence. Additionally, there are other types of risk to consider: Operational, liability, strategic and brand risk are also significant.

Operational Risk

Many organizations lack the controls that make it possible to even know where all their customer data lives, much less understand the impact if that data were to be misused. But finding, classifying and assessing personal data is only the beginning; the real work begins with making business and IT operations compliant. 

Operational risk is exacerbated by the fact that the landscape for compliance and security is rapidly evolving, driven by new threats, new actors, as well as new case law and policy changes. Without automation, GDPR compliance costs can grow over time & overwhelm organizations.

Compliance Automation

• Supports Privacy by Design
• Reduces errors leading to enforcement and/or breaches
• Reduces cost by automating compliance workflows
•  Reduces the threat surface with approaches like pseudonymization & encryption

GDPR’s Strategic Risk & Opportunity

In  addition to Regulatory and Operational risks, there are significant strategic risks to consider

•  Competitiveness:  GDPR requirements make scalability more difficult, which makes it necessary to source additional hard to find talent, limits use of predictive analytics for decisions, inhibits new product development, and makes it more difficult to enter new market segments

• Customer Experience:  Some organizations, instead of evolving, will choose to reduce risk by limiting the use of personal data.  This can happen without leadership even being aware.  Over time, the ability to deliver new, more personalized customer experiences will be drastically limited
• Trust  With so many high-profile breaches, even comparatively minor GDPR enforcement actions could permanently impair a company’s brand and damage its relationship with customers, employees and partners.

Although the operational, regulatory and strategic risks are real, GDPR can also represent an opportunity to create competitive advantage.  By utilizing GDPR as an opportunity to begin automating, you begin to create a more agile enterprise while supporting the costs of compliance with the savings you achieve through automation.