Set new processes and policies and ways to enforce them.
Decide whether or not you're going to set different policies for EU citizen data or apply those standards to all data. "That presumes that you know the difference between EU citizens and others," Vecci points out. Before you can decide whether to segregate that data or secure it differently, you must first set processes and technologies for properly classifying it, he says.
Data collection and consent. What can you avoid collecting altogether? What can you do to make consent for data collection as user-friendly and low-friction as possible, while also making sure that it's very clear what is being collected and how it will be used?
Data storage. Should you consider separate storage on EU-based servers, to make some of the Article 46 rules on data transfer easier to follow?
Data retention/destruction. The Blancco study found that only basic deletion was used by 28% of IT pros in the US, and free data wiping solutions by 25%.
Get your developers on board. Secure development practices, encryption, pseudonymization, identity, vulnerability assessments, and proper security testing are, to varying degrees, mandated or encouraged by GDPR. The data protection by design and by default rule means that bolted-on application security isn't enough anymore.
Revisit procurement procedures and third-party contracts. According to Gartner analysts, "Outside parties must also comply with relevant requirements that can impact supply, change management and procurement processes."
Prepare for breach response and complaint response: You will need to have a system for receiving and responding to complaints. According to Gartner analysts, "If a business is not yet prepared to adequately handle data breach incidents and subjects exercising their rights, now is the time to start implementing additional controls."
Get that extra budget.
Here are some things to tell your board of directors and CFO when you need extra money for this effort.
GDPR would have cost Tesco Bank billions. Had GDPR been in place when Tesco Bank was breached and hit with a heist in November 2016, they might have been liable to fines of up to £1.9 billion ($2.46 billion USD) for its November 2016 breach. Cybercriminals lifted roughly £2.5 million from 9,000 of Tesco's customers, but the breach could have cost the bank far, far more than that.
The GDPR requires data controllers have adequate security protections in place, and a violation of that rule could have cost the bank up to 4 percent of its sizeable annual turnover. Seventy-five percent of the people surveyed in the Varonis study said that the fines imposed as a result of breaching the regulation could "cripple" some organizations.
Fines aren't the only punishment. As Ilias Chantzos, Symantec's senior director of global government affairs and cybersecurity policy wrote May 12: “Data Protection Authorities have many more arrows in their quiver that may prove even more problematic than the fines. Decisions by [data protection authorities] such as ban of processing of certain categories of data or suspension of data flows can kill complete business models." He also mentions that there are no caps on liability and law suits.
Don't assume the laws won't be enforced. Not only can nations' data protection authorities take action against violators, but individual European citizens can. Individuals have already had major legal victories against giant companies over privacy, the quintessential case being Austrian Max Schrems' complaints about Facebook's data transfers.
Individuals are now further empowered by GDPR, and any violations, particularly in the form of data breaches, could draw more attention and class action suits than US companies might expect from Americans.
Just keep things secure.
"GDPR is not that onerous when you think about it," Vecci notes.
Knowing what and where your data is, being able to change it or destroy it, making sure that only the people who should have access to it do, and keeping it secure are really just common sense controls that organizations already apply to other assets, he says.
"We would never have a bank account with no protections around it ... but we treat data that way," he says.
GDPR is a way of codifying this data security and gives CISOs more leverage to do it. It also broadens the definition of "private data," which means that more systems and data will need protections; something that Vecci says was necessary already.
"Meeting the regulations really just means doing the basics."