Businesses are comprised of different departments and professionals, with data flowing across the organization. When there’s a data breach, it’s usually the data protection officers (DPOs), CIOs, and CISOs who take the brunt of the blame; however, since the introduction of the General Data Protection Regulation (GDPR), all staff are more responsible for data handling. The GDPR has brought in a unified approach towards data security management, increasing awareness among stakeholders at any organization.
One year of the GDPR
The GDPR came into effect on May 25, 2018, bringing more security to EU citizens’ personal data. Though this European data protection law has brought better security to end users, it’s left many businesses struggling to modify their personal data handling procedures. Businesses across the world have redefined their data management strategies to become GDPR-compliant in order to avoid huge penalties imposed on them for poor security frameworks.
However, the number of cyberattacks and data breaches haven’t gone down despite stricter data handling procedures. It’s been a year since the GDPR came into full force, and there’s still a lot of improvement that needs to be done in regard to personal data management.
What’s happened since the GDPR’s establishment?
The GDPR brought huge changes to organizations’ data collection, storage, processing, and disposal procedures; here are some interesting facts surrounding the introduction of the GDPR.
- EU data protection authorities have registered a number of complaints since May 25, 2018. In the first month, there were over 10,000 complaints, and the number of complaints grew to 60,000 over the next six months, eventually hitting 95,180 complaints in January of 2019. All these complaints were filed by individuals who felt their rights under the GDPR had been violated.
- Most of the complaints regarding GDPR compliance have been directed at telemarketing, promotional emails, and video surveillance.
- Based on data breach norms, if organizations experience a data breach they need to report it to the data protection authorities within 72 hours. Due to this, EU data protection authorities received 41,502 reports of data breaches through January 2019, and 5,000 in June 2018 alone.
- Since May 2018, there have been 255 cross-border cases initiated by both national data protection authorities and European Data Protection Boards.
- There are several active cases of companies significantly violating GDPR requirements that could cause fines of up to four percent of the offending company’s annual turnover, as per GDPR stipulations. As of April 2019, five hefty fines have been issued for breaching the law.
- A German social networking company was fined €20,000 for failing to secure users’ data.
- An Austrian sports betting cafe was fined €5,280 for unlawful video surveillance.
- Google was fined €50,000,000 in France for lack of consent on ads.
- The Polish data protection regulator levied a €220,000 fine on a Warsaw-based data analytics company for scraping the internet for data and not making the proper disclosures.
- After a random audit, a taxi company in Denmark was fined DKK 1.2 million for failing to delete customer information.
- The GDPR is directly applicable to all EU countries; as of April 2019, 23 member states have adopted the GDPR—all EU member countries aside from Bulgaria, Greece, Slovenia, Portugal, and the Czech Republic.
- With over 300,000 media mentions in 2018, the GDPR received even more coverage than Mark Zuckerberg.
- In May 2018, the GDPR was at the top of Google Trends —higher than any American celebrities.
What lies ahead?
Based on reports from the European Commission, as of December 2018, over 50 percent of regulated organizations are yet to become GDPR-compliant.
Organizations need to become GDPR-compliant the old-school way by redefining their security strategy, identifying their data entry and exit points, as well as determining their data storage and management procedures. Generally this takes a great deal of time. However, with the proper data security management tools, this overall strategy can be simplified, providing better visibility and security to users’ personal data.
How should businesses become GDPR compliance before its too late?
Businesses need to identify the right data security strategies to kick start their journey towards GDPR compliance. CIOs and CISO need to identify these strategies by appointing the right data protection officers to take care of their organizational data and improve its security against cyberattacks. Businesses that are already in track to GDPR compliance, need to make sure whether they will be able to sustain their compliance over a long term, and those who are already compliant, congratulations you are one among the remaining 50%.
Businesses that are yet to kick start their data security procedures need to do the following to be there on time, identify how a data exists inside your network at various different points like the point of entry, purpose of data collection, process the data undergoes, storage duration/location, and exit points. Businesses would be able to do this smoothly by employing the right endpoint management or data management solution, as these tools can bring a bird’s view perspective over your organizational data.