with contributing author, William J. Malik, CISA | VP, Infrastructure Strategies
The date for General Data Protection Regulation (GDPR) compliance is just weeks away, yet many organizations, especially those outside Europe, remain unprepared. It turns out that the experiences from other privacy compliance regulations are less helpful than assumed, but the best lessons learned may be from non-privacy regulations.
GDPR Lessons from Other Privacy Compliance Aren’t Very Helpful
Because compliance is tied to regulations and laws, they are often regional. In Canada, the Personal Information and Documents Protection Act (PIPEDA) became law in 2000. PIPEDA is mostly about privacy, specifically obtaining consent from and letting people know why their information is being collected. As with too many laws and regulations for privacy, to date there have been no penalties for PIPEDA non-compliance other than reputational. Governments are eager to pass regulations for compliance but often balk at implementing penalties. This ‘false sense of non-compliance’ will be a surprise to organizations that choose to run afoul of GDPR expecting it to be similar to privacy regulations in many jurisdictions. GDPR however has penalties in its first iteration. Rather than looking to other privacy regulations, financial compliance is a better example to use for convincing your organization to get serious about GDPR. The penalties in GDPR are real.
GDPR Lessons from PCI-DSS
PCI-DSS is a better comparison to GDPR: Regional compliance having a global impact and with penalties. When PCI was first introduced, many organizations assumed it wouldn’t apply to them as they were not a credit card processor. The next phase was compliance-surprise, when organizations discovered credit card holder information was present in new apps or added to existing apps that were previously not in scope for PCI. One noteworthy case saw a $13.3M fine levied. The GDPR lesson is that even if you are not subject to compliance on day 1, monitor changes to your business to check if you do later become subject to GDPR.
GDPR Lessons from HIPAA
US companies are generally not ready for GDPR compliance. By examining the history of compliance with HIPAA, we can forecast how GDPR compliance will roll out. HIPAA is focused on privacy, so it has some lessons. Initially, HIPAA enforcement was light. GDPR applies to any organization processing personally identifiable information belonging to EU citizens. In the US, this requirement had been defined under the European Data Privacy Directive. Those basic definitions remain in place. What has changed are:
But penalties for HIPAA non-compliance have grown steadily over the past 10 years:
Note that under the terms of the Privacy Shield, individuals and government agencies (specifically the FTC) can bring actions against organizations in US courts. The mechanisms for levying fines are already in place. Organizations that fail to prepare for GDPR will face the financial consequences of non-compliance, that is, Stage 3, in short order. Unlike HIPAA, GDPR is familiar to many multinationals. Organizations have faced penalties under the current Data Protection Directive for over a decade. The learning curve will be much shorter this time. Do not expect a multi-year gap before US-based organizations face substantial financial consequences. We expect to see fines levied within the next 18 to 24 months.
GDPR Lessons from Increasing Compliance Maturity
Not all compliance is created equally. For other privacy regulations it is common that there is no penalty for non-compliance, even willful breaches, whereas in some geographies privacy breaches can bring significant discomfort. So there is a gradient of maturity that compliance falls into, not by category of compliance (e.g. financial, privacy) but for the specific regulation or standard. This isn’t to argue that every compliance regime needs penalties, formality and significant oversight – but there are noteworthy differences in the ‘seriousness’ or impact of compliance with each system. We foresee that organizations will mature in their compliance following this proposed maturity model:
|Maturity Level||Characteristics||Likely Examples (and fodder for arguments)|
|0||Minimal utility in compliance, can be used as excuse for doing less than due diligence standards||OWASP Top 10|
|1||Guidance and checklists||NIST Standards, ISO 27001|
|2||Regulations and formal laws without penalties – “name and shame”||PIPEDA (current version)|
|3||Impact of non-compliance, fines, significant||PCI-DSS, HIPAA, GDPR|
|4||Embedded into business. Compliance because it makes life better.||FIPS 140-2|
We will move rapidly through stages 0 and 1 to stage 2. We already have organizations that report on breaches, investigations in progress, and fines for HIPAA. The Privacy Shield site tracks registered organizations, and will provide a platform for reporting on breaches and fines, as well.
The Bottom Line
Although GDPR deadlines are approaching rapidly, this is not wholly unfamiliar territory. Use the practices already in place for your non-privacy compliance. Yes, GDPR is a more mature model of privacy compliance than most North American organizations are used to, but the compliance already in place for other regulations and laws can be a roadmap in getting compliant quickly.
The mechanisms for levying fines are already in place. Organizations that fail to prepare for GDPR will face the financial consequences of non-compliance, that is, Stage 3, in short order. Unlike HIPAA, GDPR is familiar to many multinationals. Organizations have faced penalties under the current Data Protection Directive for over a decade. The learning curve will be much shorter this time. Do not expect a multi-year gap before US-based organizations face substantial financial consequences. We expect to see fines levied within the next 18 to 24 months.