With less than a year remaining until the European Union’s new General Data Protection Regulation kicks in, the level of hyperventilation in the business world has reached epic proportions.

An April study by Veritas reports that 86 percent of organizations worldwide are concerned that that a failure to adhere to GDPR’s strong privacy guidelines could have a “major negative impact on their business,” and 18 percent fear it could put them out of business entirely. Another study fielded in the U.K. warned that FTSE 100 companies could face fines of as much as £5 billion each.

It’s always good to be prepared, but excessive handwringing at this point does little good and may obscure the positive impacts of GDPR in driving corporate security awareness, according to one expert. Darron Gibbard has studied the regulation as it evolved from a patchwork of local standards over the past 20 years both in his current role as chief technical security officer at Qualys Inc. and in his previous role as head of risk and information security services at Visa Europe Ltd. In an interview with SiliconANGLE, Gibbard said much is still unknown about the details of GDPR and how aggressively it will be enforced.

“You can’t be too careful, but we don’t know how it’s all going to play out,” he said.

Organizations are particularly alarmed by the harsh penalties the regulation specifies: up to €20 million or 4 percent of a company’s annual worldwide sales for each infraction, whichever is greater. If enforced to their fullest extent, these fines could wipe out many businesses, but Gibbard believes that isn’t the EU’s intent.

“Everything about the current regulations is based on the seriousness of the breach,” he noted. “I’m a firm believer that there would have to be a similar approach” to GDPR enforcement, such as a sliding scale of fines based upon the number and severity of violations. In the meantime, the severity of the fines is getting companies focused on the changes they have to make and drawing the attention of C-level executives. “I think it’s more about fear and forcing organizations to take privacy more seriously,” he said.

The overarching goals of GDPR are laudable: Put control of personal information back in the hands of individuals, and force businesses to exercise greater responsibility when handling personal information. Businesses with sound data governance and classification procedures should experience little inconvenience and may even gain an edge over competitors who are struggling with compliance. For information technology organizations and security professionals, it’s an opportunity to put some sound practices in place with the blessing of the board of directors.

There’s nothing new or radical about the rules, either, Gibbard said. “Know your assets, know your data, know where your data is going, where it’s being shared and who’s sharing it,” he said. “Make sure patch management is in place, your incident management processes have been tested and know the notification rules,” which provide a window of 72 hours to notify partners and regulators about data breaches.

For companies whose current practices are sloppy or poorly documented, a lot of rework could be involved. For example, many businesses share personal information about customers or constituents with third-party marketing firms. Under GDPR, both they and their business partners could be prosecuted if proper rules regarding permissions aren’t followed.

Then there’s the act’s notorious “right to be forgotten” rule, which allows people to demand that their personal data be erased by an organization that possesses it. Imposition of that rule by a French court in 2005 tied Google in knots as it scrambled to comply with hundreds of thousands of requests to remove personal information from its search indexes. The same demand will now apply to everyone.

Organizations will have 30 days to comply with a request to remove personal data. They will need to have procedures in place for accepting, adjudicating, processing and reporting upon such requests. What’s still unknown is how far back they will have to dig in their archives to scrub this information. Depending upon industries and jurisdictions, some industries currently maintain customer data for many years or even permanently.

“If you’ve got backup tapes, you may have to recover the tapes, wipe them clean and return them to storage. That’s going to cost an astronomical amount of money if that’s what the regulators want,” Gibbard said.

But at this point nobody knows exactly what the regulators want, besides greater accountability and transparency. It will take time and court cases to untangle some of these nuances, and Gibbard advises organizations not to panic in the meantime.

Rather, they should use the next 12 months as an opportunity to get their security house in order and raise the visibility of security overall. “A lot of organizations are looking at GDPR as a golden ticket to get some of the investments in security that they’ve always needed,” he said. “It’s a good opportunity for security teams to get themselves engaged in projects at the beginning rather than being a tick box that’s added at the end.

Image: Pixabay