GDPR Summit: Webinar Replays & Survey Results

Earlier this week, we had the pleasure of presenting a three-day webinar series on the EU General Data Protection Regulation (GDPR) and how companies are preparing for the May 25 deadline. Primitive Logic thought leaders as well as experts from other organizations shared insights on where companies are in terms of GDPR readiness, what they’re doing now, and what still needs to be done.

If you missed any one of the sessions, or if you want to go back and review, the recordings are available on our BrightTALK channel:

Over the course of each webinar, we presented the audience with survey questions to get a sense of where they are in their GDPR readiness strategy and which people and platforms are involved in the process.

Overall GDPR Readiness

We started our first two webinars by asking the audience where they are today in terms of readiness for GDPR. Here are the average results from the two polls:

  • Not started: 9%
  • Just started: 40%
  • Well on the way to readiness: 41%
  • Complete with DPO in place: 4%
  • I don’t think GDPR applies to my business: 5%

We’re encouraged to see that a majority of attendees have at least started the process of preparing for GDPR — and we’re not surprised by how few have completed their readiness plans.

As our legal expert, Michael Rubin of Latham and Watkins, pointed out in the first webinar, very few companies are expected to be 100 percent ready when May 25 arrives. Even those who do have all the pieces in place will still have work to do, as more guidance continues to be released. The most important things an organization can do are

  • Make a start by understanding how you’re processing personal data.
  • Be able to demonstrate a good-faith effort by showing that you’re aware of your responsibilities under GDPR and that you have a plan in place for complying.

Leading the Charge

During our first webinar, we asked attendees about the people — internal and external — who are involved in their GDPR readiness processes, beginning with the question of which department is leading the effort. Here’s how they responded:

What department is leading GDPR efforts - survey question
As you can see, most attendees consider GDPR readiness to be primarily a legal or security issue and have assigned responsibility accordingly.

Primitive Logic President Kevin Moos pointed out that if your technology team does not have a seat at the table, it could hamper your readiness efforts, Many companies don’t have a grasp of where all their data is located, where it goes (both internally and externally), and how they’re processing it.

By involving IT early on in the process, you can get a handle on your data processing activities, including how you are processing personal data and your business reasons for doing so. With these elements in place, it will be easier to address other aspects of the regulation.

Protecting Data Subjects’ Rights

In our second webinar of the series, we focused on the data privacy aspects of GDPR from a technology perspective — specifically, the protection of data subjects’ rights as enumerated in the regulation.

As Primitive Logic Chief Architect Eric Greenfeder pointed out, most of the overall efforts in architecting or re-architecting systems to support GDPR are driven by enterprise data management capabilities. Data governance — how you manage your data, the quality of your information, consistency across data stores — will be key, as will data-specific management capabilities (such as identity data management) and data-centric security services (such as data encryption and masking).

Of all data subject rights covered under GDPR, the two that cause greatest concern among businesses are the Right to Erasure (also known as the “right to be forgotten”) and the Right to Data Portability. Kevin commented that before they can comply with these requirements, organizations must address the underlying data management issue, as their architecture probably looks something like this:

system architecture diagram

Most organizations don’t have a thorough, up-to-date understanding of how their systems are integrated or how data flows between them. If you don’t know where your data is, you can’t port it or delete it.

Eric discussed two approaches to rectifying this situation — through an integration platform or through common APIs. Once your solution is in place, it’s important to consider additional requirements such as looping in personal data stored in backups and archives, which is also within the scope of GDPR.

Securing the Fortress

In our third and final webinar of the series, we welcomed a panel of experts to discuss the security side of GDPR from a technology perspective.

Our experts agreed that the security aspects of GDPR causing most concern among covered US organizations are

  • 72-hour breach notification: The EU’s definition of a breach is far broader than the traditional US model, and many organizations are struggling to determine at which point the 72-hour clock will actually start.
  • Data protection by design and by default: Developers will need to take a security-first approach, which marks a significant shift form how they typically view security today.
  • Use of cloud storage and sharing services: Organizations will have to put policies in place regarding employees’ use of cloud-based services that are not under corporate control.

After leading these three webinars, viewing poll results, and seeing the questions coming from the audience, we can see that many organizations are making excellent progress towards GDPR readiness … and that much work still needs to be done. To learn more, you can watch the replay of each session on our BrightTALK channel:

If you have questions about your company’s GDPR readiness, give us a call.

Follow Jill Reber on Twitter at @PrimitiveCEO.

Jill Reber, February 2018