בלוג: מחיר המידע - 10 טיפים לתקציב 2020

האם הקדשת תקציב לפרטיות ואבטחת מידע?

פורסם במקום ב-LinkedIn

Nowadays, data comes at a cost. As the new financial year arrives, CEOs and CFOs need answers: Should I invest in Data Protection and Privacy? How much? And whose budget is it anyway? I’ve got some answers.

Let’s start with the straightforward question: what happens if I don’t spend a dime?

Maybe nothing. Certainly nothing good. According to surveys by Financial Times and PwC, 93% of companies surveyed have already started GDPR compliance efforts. So if you haven’t, the astounding majority of companies don’t share your logic. First GDPR fines and sanctions are coming in, at a low pace for now. The authorities are focusing on the internet giants, who are sued for billions, but a hospital in Portugal, an adtech startup in France, and some other small companies also got slapped. As data protection authorities get additional budgets and following an unofficial grace period, enforcement is expected to increase dramatically. I would add that GDPR and data protection authorities explicitly value effort, so not doing anything is probably the worst strategy to pick.

How much do companies invest in data protection and privacy?

The GDPR tsunami had companies worldwide investing heavily in getting ready. The above surveys revealed that Fortune 500 companies spent in average over $16 million (€13 million) on GDPR compliance over the past year, with other large companies spending over $1 million. As proactive companies took action towards compliance, they discovered that becoming compliant is not a project, but a journey, which is neither simple, quick, cheap, or finite. For example, at the beginning of 2018, 73% of companies said they’d be GDPR compliant by year end. Now that year end is around the corner, statistics talk about a mere 20% of companies (and 29% in Europe) that (think that they) are fully compliant. What happened? Projects took longer than expected, revealed more gaps than anticipated, and when a project finally ends, maintenance is needed for continued compliance. Therefore, 2019 will see yet another increase in GDPR spending. The good news is that 70% of companies realized that this effort had a positive impact on their business.

So how much should my company spend?

GDPR explicitly encourages proportionality. GDPR even exempts from certain obligations if they’re impossible or requires disproportionate effort. However, not doing anything is neither proportionate nor reasonable, and most GDPR obligations - that are still subject to fines of up to €20 million or 4% of annual revenues - do not enjoy the proportionality defense. Invest as much as needed, taking into account the nature of your data processing - its scope, sensitivity, potential damage in case of a data breach, etc.

Whose budget is it anyway?

One problem with data protection and privacy budgets is that it’s not clear who should be the budget owner in the company. Is it Legal, because GDPR is a law? Is it IT, because they are in charge of the systems processing the data and cyber solutions to protect the systems? Or is it Marketing, the likely GDPR criminals, whose MarTech platforms utilize personal data the most? Or maybe it’s Product & R&D, who need to fix the UX to get consent properly, or Operations, who would implement new processes across the company? While you contemplate, nothing gets done. I believe GDPR should be a special CEO budget this year, that can be allocated across the company according to its specific needs and priorities. If you have a Data Protection Officer (DPO), let him/her manage this budget. Or you can condition other budgets, for example:

Don’t approve marketing campaigns if the information collection is not GDPR-compliant, and don’t approve product development if privacy is not integrated into the design.

Where should I invest this budget?

“It depends” is always a valid answer, but I won’t dodge the question. If you’re a starter to GDPR and don’t understand it well enough, start with a GDPR Audit, to understand what you need to do. Then, assuming you’ve got a prioritized plan to minimize risks and achieve success, simply follow the plan, and invest where it matters the most. The solutions and costs vary per company, but the actions towards compliance are quite similar -

Here’s a list of 10 popular GDPR compliance items to consider for your 2019 budget:

  1. Commission a GDPR Audit - A proper audit should analyze the personal data your company collects and processes, the data flows, your company’s role according to GDPR (are you a controller, processor, or both?), and the subsequent responsibilities you have under such role(s). It should review your technology stack and third-party systems, your marketing practices, and your product UX/UI to understand how you get and use personal data. Following an audit, you should have a very good sense of where you stand, have a gap analysis towards compliance, and a clear prioritized list of what you need to do. Who executes your GDPR Audit has an impact on what it includes and what you’d know - which brings us to the next cost item.
  2. Hire GDPR Lawyers and Consultants. Over 80% of companies use external vendors to help them prepare for GDPR. Technology companies, consultancies, and law firms lead the external-help charts, but each has its strengths and weaknesses. Tech companies sell you on their solutions for specific GDPR requirements (and forget about the rest). Consultancies are good in creating actionable plans, but would shy away from any legal judgment (since they can’t practice law) and might hesitate about technology. Lawyers will highlight all risks, but would not prioritize them (since €10 or €20 million fines are both catastrophic) and will avoid getting into the non-legal parts of GDPR - IT, product, marketing, processes, organization and more - which are critical and essential for compliance. So unless you find a lawyer, who is also a management consultant, product manager, marketing manager, technology manager, AND knows GDPR inside out, you probably need to hire several vendors to understand your obligations, evaluate your risks, and develop a practical plan forward. Nevertheless, hire them all, you can’t deal with GDPR on your own.
  3. Prevent a Data Breach - As I mentioned in another blog about Facebook and Google's data breaches, the GDPR-mandated notification of a personal data breach to data protection authorities is dangerous yet likely. Therefore, companies should invest in preventing breaches. Penetration testing and IT/Cyber security are two useful, yet costly, components. However, simply taking a closer look inside your company is an effective first step to prevent security incidents. Run a Data Protection Impact Assessment, or a smaller Risk Assessment, to map your vulnerabilities. Then, you’d probably find many small investments in your IT processes (such as Access Control and Employee Onboarding/Departure Checklists) and authentication mechanisms (strong or one-time passwords, two-factor authentication, etc.) that can go a long way to mitigate risk for your data and company.
  4. Protect the Periphery - Legal and Product. The same way that thieves are less likely to break into a house that looks well protected by security cameras and dogs, so would your company benefit from looking compliant even before it really is. Customers and lawyers see your periphery first - your product experience, the terms and policies governing your website. Make sure these are updated according to GDPR requirements. Do customers provide informed consent? Do they opt-in or opt-out of direct marketing? Does your Privacy Policy mention GDPR rights? Is it written in plain language like GDPR requires, or in complicated legal lingo? Also correct your Terms of Use, EULA, and B2B commercial agreements. Sign a Data Processing Agreement with your customers or processing vendors, and select GDPR-ready vendors. On the Product side, provide all necessary information ahead of data collection, and let customers access and manage their data, so you can avoid data subject access requests (DSARs).
  5. Align your Organization - GDPR compliance is not a one-off project. If your team doesn’t understand data, information security, legal, and privacy - and most of them do not understand it all, then their old practices would fail your compliance time and time again. Marketing needs to understand what’s permitted under the privacy policy. Product and R&D teams need to integrate Privacy by Design and Data Minimization into PRDs and user stories. IT and Customer Support need to limit and avoid access to customer data where possible. Train your teams about GDPR and local privacy regulations, how they affect their roles, what risks their actions pose on the company, and how doing the right thing advances the business.
  6. Prepare for a Rainy Day - Set Internal Processes - A well-known idiom says “we’ll cross that bridge when we come to it.” However, that tactic won’t work with GDPR compliance - when you incur a data breach and have to notify authorities within 72 hours of discovery, or get a data subject access requests (DSAR) and go looking for a person’s information across the organization, it’s too late to catch up on the best manner to handle the situation. Expedience would also make it costly to get help when you absolutely need it. Setting internal processes for data protection, handling data breaches, DSARs, and other aspects of data and privacy is a GDPR requirement, and the only way to navigate the storm when it arises.
  7. Appoint a Data Protection Officer (DPO) - Certain companies have to appoint a DPO according to GDPR or national law. If they don’t, they face a fine of up to €10 million or 2% of annual revenues. A DPO can be internal or external, but have to satisfy certain requirements, such as expert knowledge of data protection law and practices, and the ability to fulfil the tasks assigned by law. Maybe you must appoint a DPO and maybe you don’t have to, but my recommendation to most companies with vast data  and international activity, is that you better. Having a DPO on the payroll advances the company’s compliance and is useful in responding to ongoing data and privacy needs.
  8. Stick a Flag in the EU, Appoint a Representative - Many companies who are subject to GDPR also need to appoint a representative in the EU, mostly to interact with data protection authorities, and - truth be told - to ease enforcement by such authorities against non-EU companies. A representative doesn’t need to be a person, it can also be a legal entity, so if you have an EU entity, consider using it as your representative. Appointing a representative in the EU can ease international bureaucracy later on, through using the One Stop Shop mechanism that non-EU companies do not usually have access to.
  9. Deploy Tech Where It Makes Sense - Technology and big data have made GDPR necessary, and technology might lay the path to salvation from the regulation’s many requirements in the future. However, for now, no technology solution that I’ve reviewed in depth solves for all requirements and worries. Tech sales teams play an important role in triggering compliance efforts and technology solutions are in many cases the largest cost item in GDPR preparation. Still, as mentioned, tech companies would sell you on the specific issues their software solves for, and forget about all other aspects that makes your company non-compliant. Here are a list of domains where technology can ease your burdens: Cyber security, Identity Management, Consent Management, Data Mapping, Processing Records management, Encryption, DSAR management, and Data Loss Prevention (DLP). The price points for most of the available solutions make them viable only for large enterprises, but even using them all doesn’t make you remotely compliant. Regardless of your company’s size, start with the basics (e.g. audits and preventing breaches), and then consider whether dedicated tech solutions could save you money through risk mitigation and automation.
  10. Account for Damage - Budgeting is about accurate planning. In a year where GDPR is in full force and data protection authorities are getting increased resources for enforcement, you should also account for damage. Damage is not necessarily a fine - it could also be the cost of handling customer complaints and legal proceedings, unplanned costs due to regulatory investigation, or the negative impact on sales and reputation following a data breach. The amount to account for is the expected damage multiplied by the probability of such damage. The more steps you actually take towards compliance and risk mitigation, the less likely you are to face a subsequent damage.

To summarize, reasonable businesses would set aside a reasonable budget in 2019 to up their game in data protection and privacy. The amount you invest would by definition be smaller than the potential GDPR fines and risks you’re up against. Start with a GDPR Audit or appointing a DPO, you’d be in a much better position to confidently plan for a successful 2019.

***

Adv. Oded Israeli (LL.M., MBA) is a commercial lawyer and management consultant, with vast experience leading marketing, product, and technology teams at both enterprises and startups. Israeli founded GDPReady to help companies deal with GDPR in a practical, holistic way, while clearing executives' time to focus on their business. Schedule a free consultation call.

#data #privacy #GDPR #budget #2019 #audit #security #breach #cyber #protection #dpo #risk #EU #law #legal #regulation #product #marketing