GDPR is upon on us.
Unfortunately, most businesses seem woefully unprepared for the regulation — and this includes organizations on both sides of the Atlantic.
If you’re reading this from outside the EU, you may be thinking ‘What’s the big deal? This won’t affect my organization’. Think again.
The regulation impacts firms both inside and outside of the EU. In fact, any company dealing with EU businesses’, residents’, or citizens’ data will have to comply with GDPR. Even if a company does not have a European presence, it will still have to understand the impact of GDPR if it processes an EU resident’s personal data.
A full 52% of 400 U.S. companies surveyed are either still exploring the applicability of GDPR to their business; have determined that GDPR is not a requirement for their business; or are unsure (CompTIA, April 2018). And just 13% of firms say they are fully compliant with GDPR.
Think the Brits have it under control? Sadly no.
A recent survey from cyber security firm ThinkMarble found that 73 percent of British businesses remain unaware of the lawful basis for processing data ahead of the May 25th GDPR deadline. And only six in 10 members of the Institute of Directors believe their organization will be fully compliant.
For those organizations that are being more proactive, most are focusing on their role as a “data controller” (i.e. the organization that defines how the data is processed). As a controller, companies must ensure that they’re taking all the necessary precautions to protect the data and privacy of their EU-based users (aka data subjects). Their focus in many cases has been on capturing, documenting and managing the consent of their users.
That’s why you’ve probably received a flood of emails to your inbox (especially if you’re in the EU) with subject lines like:
- Let’s keep in touch
- Want to keep hearing from us?
- Keep receiving the goodness
- Let’s stay together
- You’re in control
But, what’s getting lost in all of these re-permissioning campaigns is that any company that partners with a third-party which captures or manages any personal information has a fiduciary responsibility to vet those solution provider for GDPR compliance. GDPR refers to this category of vendor as “data processors.”
One of the new bits with GDPR is that the controller and the processor are now both liable in cases of data misuse or a full scale data breach (previously it was just the controller who got the kicking). Remember, GDPR is solely focused on data, which means that any surface area over which that data passes must be protected from exposure, even if it’s in the hands of a vendor. Vendors can include both managed services, like outsourced IT, online identity verification services, and hosted services, like cloud servers and storage.
To help companies properly vet their data processors, we created this educational e-book: GDPR & Online Identity Proofing: An Inconvenient Truth. You can download here.