A sports betting and online gaming company in Austria had a learning curve in becoming GDPR-ready, despite its experience handling customer data.
It was the spring of 2017, and Michael Mrak was bracing for the oncoming tsunami known as GDPR. The law has been characterized as the most sweeping set of changes enacted in data privacy regulation in two decades.
Put in effect in May 2018, the General Data Protection Regulation (GDPR) requires each member of the European Union to protect consumer and personal data more rigorously. It also calls for greater consistency among EU nations in protecting personal data. Any company, including those outside the EU, that markets goods or services to EU residents is responsible for complying with GDPR.
The fines for noncompliance are hefty: Enterprises that fail to comply with GDPR could risk fines of up to 4% of annual global turnover, or 20 million euros (whichever is greater). And now, the U.S. is cautiously considering elements of GDPR. The California Consumer Privacy Act of 2018, which passed in June 2018, applies some GDPR protections in the state of California.
For compliance officers, chief information officers and myriad other IT and business professionals, GDPR has loomed large since companies began preparing for it in April 2016, when the EU passed the regulation.
Michael Mrak, head of the department of compliance at Casinos Austria AG
It was “stressful,” recalled Michael Mrak, head of the department of compliance at Casinos Austria AG, a group of companies dedicated to online gaming and sports betting, during a session on his lessons learned in becoming GDPR-ready at RSA Conference 2019. Companies worried, he said, that they might not be able to meet the requirements.
But the deep truth is that GDPR compliance is a path, not a single moment of achievement. “The plan from the CEO and the board was originally to be 100% compliant by May 25, 2018,” he said. “This is what CEOs usually want from you: ‘You need to be compliant. . . . Just do it.’ But then comes reality.”
That’s consistent with data on companies striving to meet GDPR requirements. EY and the International Association of Privacy Professionals surveyed 550 data privacy professionals about GDPR compliance for the IAPP-EY Annual Privacy Governance Report 2018. More than half of respondents, 56%, said they are not compliant or will never fully comply. And according to the recent Cisco 2019 Data Privacy Benchmark Study, 42% of respondents said that a key issue in complying with GDPR is the burden of the various data security requirements.
Ultimately, companies that spend the time getting their data privacy house in order are best positioned to become GDPR-ready. Those that develop documentation processes, build cross-departmental alliances and view compliance as a journey are best positioned to succeed along the way.
“Consultants we talked to say that there is no such thing as being 100% GDPR compliant,” wrote Claudiu Dascalescu in a blog on GDPR compliance. “Try to develop efficient data protection and privacy strategy based on your scenario.”
Mrak shared some of his lessons learned since 2016.
1. Develop business-unit-wide communication. Mrak said that one of the key aspects of becoming GDPR-ready was creating a project team and working with individual business units and corporate functions—some of which handle customers’ personal data and some of which have a role to play should a breach happen, such as internal auditing and corporate communications. Mrak noted that the various departments were brought into the process early on and had a designated role to play.
2. Stress-test your GDPR plans. Casinos Austria put its GDPR training and processes to the test by simulating two scenarios.
“We played a loss of data and the other was where data had been stolen and leaked through the media,” Mrak recalled. The company applied its training well in these mock scenarios but saw gaps in its processes, such as its failure to notify its customer service center about the data breach. “That’s a big issue, because it’s required by GDPR. You need to inform your employees, your customers.” Privacy coordinators work closely with compliance departments.
3. Create a data deletion matrix. In the regulatory environment, there may be contrary needs in storing data. “There are two conflicting data regulation sets that we have to fulfill,” Mrak emphasized.
For example, Casinos Austria is required under some regulations to store customer transaction data for various time periods defined (data relating to taxes must be stored for seven years, and other customer data may need to be stored for just five years). But GDPR requires that data be deleted in a timely manner. The right to be forgotten, another regulation in Europe, also requires that inaccurate data about a user be deleted if he or she requests it. These conflicting objectives—to store data to ensure that companies can verify customer data and transaction history and the need to delete data to protect against breaches or mishandling—often require a data deletion matrix so that compliance officers understand when they can (and when it’s advisable) to delete data.
4. Address legacy systems that lack automated deletion capabilities. Many legacy database systems with customer data may not be able to automatically delete data based on expiration dates or customer requests. Without automation, compliance officers can get engulfed in managing time horizons and one-off requests. Companies need to create interim solutions to help automate these deletion practices so things don’t fall through the cracks. By automating process handling, artificial intelligence will play a major role in this area in the future, Mrak said.
5. Ensure compliance with other regulations. Complying with other standards and regulations can help in GDPR preparation. For example, the International Standardization Organization features ISO 27001, a standard that focuses on information security. “While information security and data protection aren’t the same,” Mrak said, “they can be handled in the same way. This is where standards come in. If you are using ISO 27001 you will easily be able to fulfill the technical aspects of the requirements of GDPR.”
6. Gain executive-level support. As with many initiatives, executive-level support is critical to make complying with GDPR efficient and effective. Because executives had a “high level of awareness” about GDPR, the project at Casinos Austria was cross-functional, high-priority and relatively successful. “The huge number of meetings we had with all those responsible for systems and senior staff was a little more surprising than I expected,” Mrak said.
At the same time, business units and support functions need to be reminded periodically about how to introduce efficiencies and reduce error. “The internal communications effort is still enormous,” Mrak said. “I’m still running through the departments as an ambassador for the issue. I’m still explaining, ‘We need to streamline processes; we need to automate.”
According to Mrak, building in automated deletion and expiration dates into legacy systems may take until 2020 to complete. This can be a hard sell, especially because GDPR doesn’t contribute directly to a company’s bottom line.
“I’ll tell you a secret: We don’t make money with GDPR,” Mrak said wryly. At the same time, he sees compliance as directly related to customer retention and customer experience.
The Cisco study on data privacy echoed this notion, with 41% of respondents saying that they had gained competitive advantage through their privacy investments in becoming GDPR-ready.
“If you can communicate, ‘We do everything to keep your data safe. Whom do you trust when you spend money?,’ [companies] have a chance to win customers,” he said.
Alternatively, companies stand to lose a great deal if they don’t get a handle on data privacy.
“If you think compliance is expensive,” Mrak said, “try noncompliance.”
Lauren Horwitz is the managing editor of Cisco.com, where she covers the IT infrastructure market and develops content strategy. Previously, Horwitz was a senior executive editor in the Business Applications and Architecture group at TechTarget;, a senior editor at Cutter Consortium, an IT research firm; and an editor at the American Prospect, a political journal. She has received awards from American Society of Business Publication Editors (ASBPE), a min Best of the Web award and the Kimmerling Prize for best graduate paper for her editing work on the journal article "The Fluid Jurisprudence of Israel's Emergency Powers.”