There has been much buzz about the GDPR (Global Data Protection Regulation) set to go into effect in May of 2018. Black Duck discussed the topic in our legal track at the Black Duck FLIGHT 2017 user conference, where Daniel Hedley from Irwin Mitchell looked at how European companies are preparing for GDPR.
I recently had the opportunity to attend the GDPR Readiness Summit put on by Compliance Week in Chicago. Black Duck joined Data Privacy & Protection professionals and IP attorneys to talk about what the GDPR means to US-based companies and to brainstorm how to prepare for the coming regulation. Key themes emerged from the two days of discussion.
Money Is Being Spent
One thing was extremely clear; a lot of money is being spent by companies learning about, preparing for and implementing technology and processes to comply with GDPR. A recent survey conducted by PWC states that among companies surveyed, 60% will spend more than $1M on GDPR preparation projects and 12% will spend more than $10M. Of the companies that have finished preparations, 88% reported spending more than $1M and 40% reported spending more than $10M.
Still a Lot to Learn
During one of the sessions at the summit one speaker estimated that close to half a million dollars will be spent by companies just to understand GDPR, before even implementing a solution.
Many companies were in Chicago to learn from their peers about what others are doing to prepare. The mix of attendees ranged from IP attorneys and General Counsel, to Chief Privacy Officers, CISO’s, compliance and engineering teams.
Not only are companies spending money to learn and prepare for GDPR, but many are also creating roles internally solely dedicated to learning, preparing for and implementing solutions aimed at GDPR and data protection. The Summit sessions started at the beginning and were broad in reach, with explanations on how first to get a handle on what data you have and where you have it. Data mapping, data minimization, policies, procedures, vendor compliance, documentation and what to do if you are breached were just a few of the other subjects covered.
With just six months to go before the regulation goes into effect, companies are doing whatever they can to grasp on to industry best practices and ensure they’re on the right path to compliance.
What about Open Source?
With recent publicity on what can happen to personal data in the event of an open source security vulnerability, attendees drew a clear line between GDPR and open source software management.
Matt Jacobs, Black Duck’s General Counsel, led a roundtable discussion on how to reconcile open source security risk with GDPR best practice. Jacobs talked about the pervasiveness of open source software and the risk companies take on when they don’t have a handle on what’s in their code. In fact, if the Apache Struts breach had taken place when GDPR was in effect, the ramifications for Equifax could have been far worse than the already devastating impact on its brand reputation and shareholder value.
It was great for me to have conversations with current Black Duck customers who attended the Summit and who related that one part of their GDPR prep is complete, with their open source use and monitoring under control. We also had some fantastic conversations with lawyers, consultants and other technology vendors that are being looked to for help with an end-to-end solution for GDPR compliance.
Getting a handle on open source isn’t a one stop solution to your GDPR needs, but it is an important step on the road to GDPR compliance.