We’re just a month away from seeing the General Data Protection Regulation (GDPR) introduced across Europe which will replace the old Data Protection Directives that were drawn up in the 1990s. A lot has changed in two decades. Vast swathes of personal data are now generated daily and the upgrade in data protection laws for citizens living in a democracy is well overdue.
With the new regulations coming into play on 25th May, we decided to interview the founders of Prifender, (an iAngels portfolio company) Dr Sagi Leizerov and Nimrod Luria, who have developed an AI driven automation system for managing data privacy. Read on to discover what they believe these changes mean.
Firstly, can you tell us what the GDPR is and why we need it?
The GDPR is being introduced as a means of strengthening data privacy for Europeans by replacing the old Data Protection Directives. The GDPR website describes the new directive as being designed to “harmonize data privacy laws across Europe and to protect and empower all EU citizens’ data privacy”.
There’s been 4 years of preparation and debate since the GDPR was approved by the EU Parliament back in April 2016. Companies have been given 2 years in which to comply, with those who don’t comply at risk of facing significant fines.
The GDPR is expected to have significant impact on data governance and management and will impact enterprise software companies across the board.
With the GDPR enforcement date fast approaching, what is the level of enterprise readiness to comply?
Both Forrester and the International Association of Privacy Professionals have studied the question of GDPR compliance and found that many companies (the majority in the case of the IAPP study) will not be able to fully comply by its due date. According to the IAPP, only 4 in 10 companies will be ready by the compliance date. Forrester, which arrived at similar numbers, has even said that many companies are most likely overstating their readiness for GDPR.
Even those companies taking active steps to improve their preparedness for the regulation are facing significant challenges when it comes to the effectiveness of their compliance. Traditional means for privacy compliance tend to emphasize policies, contracts and training (sometimes referred to as “paper compliance”) rather than controls and control-monitoring. Without automated controls over the impacted data, it’s almost impossible to really know whether day to day activities are meeting what the policies and contracts are stating.
What do you think would be the implication for non-compliance and which enterprises would be impacted the most?
To best understand the impact of non-compliance we need to keep in mind that the GDPR includes, for the first-time in the EU, broad breach notification requirements. This means that when companies will experience a security incident (i.e., an inappropriate access or disclosure of personal information), they will have to reach out to both their privacy regulators and the impacted individual to reveal the breach. These notifications will lead to an audit of the company’s level of preparedness, and any identified gaps in their GDPR compliance will be viewed in the context of the breach. In other words, compliance violations will be assessed based on the severity of the data breach. Consequences could mean reputational damage for organizations, fines or indirect costs such as increased audit requirements and challenges in signing up new customers as well as others.
As this regulation concerns the personal information of European residents, will its impact be limited to European organizations?
It’s foreseen that the GDPR will have a global impact, mainly for two reasons: Firstly, it will apply to any organization that uses the personal information of EU residents, even if that organization is not based or is not operating in the EU.
Secondly, it will also apply to EU organizations that operate outside of the EU i.e., it will apply to non-EU residents that transact with an EU entity.
Beyond these two reasons, many international organizations will find it easy to adopt one set of requirements across their entire enterprise, rather than creating a patchwork of requirements for each operating entity in different countries. For this reason, we’re likely to see more organizations adopting global privacy standards that follow the GDPR’s high bar.
How do you expect this market to develop and how big do you feel the opportunity is?
The question should instead be, what we describe as being the market? While the market for GDPR related solutions is large and is likely to continue to grow over the coming years, there is an even larger and more promising market developing which is the opportunity generated by monetizing and profiting from personal information at scale. Personal data is a valuable asset that can generate significant revenue through the analysis, sharing, sale and its connectivity to different sources.
At a time when privacy regulations are tightening up and more people are increasingly becoming aware of the importance of data privacy, monetizing personal data is a challenge leading many organization to either avoid monetizing it completely, doing something small scale or worse, hiding the fact they’re monetizing data. With sophisticated technologies for tracking personal data coming into the market, a highly lucrative (and compliant) market is steadily opening up to organizations from a wide span of different industry sectors. For this market, the size of the opportunity is tremendous.
Can you tell us a little about the response and traction Prifender is getting so far?
Prifender represents a real paradigm shift in how organizations can manage personal information. The technology is not an incremental step forward, it is a leap forward. The two reactions we’re currently receiving, when we show the technology to privacy professionals for the first time is that “its magic!” and second comes, “I need it.” Suffice to say that we’re getting very positive reactions and interest in Prifender as we continue to grow.
Read more about Prifender here.