BURLINGTON, Massachusetts: Unless you’ve been on holiday without access to Wi-Fi over the last year (in which case, I’m envious of your year-long holiday), there’s little doubt that you’ve heard of GDPR — the European Union’s General Data Protection Regulation.
The GDPR took effect on May 25 last year affecting how organisations use, store, transmit and process the data of EU residents. Organisations worldwide who do any one of these must comply with it. Yet, one year after, there are still some companies that are not GDPR compliant.
According to a survey conducted by IT Governance, as of December 2018, 71 per cent of organisations aren’t.
Worse, only 45 per cent of IT executives claim to have a strategy for organisation-wide encryption, which the GDPR calls an “appropriate” measure of data security, according to a March 2019 NCipher Ponemon study on encryption trends.
What’s even more shocking is that 25 of 28 official EU government websites may not even be GDPR compliant as of yet per another March 2019 Cookiebot report.
If you’re involved with data privacy and security on behalf of your employer, there’s a high likelihood you saw numerous stories of firms preparing for the compliance deadline. Once GDPR went into effect last year, more stories emerged regarding the repercussions of non-compliance.
With a maximum fine of €20 million (USD$22.4 million) or 4 per cent of global turnover, one would imagine more would have been done in the firms who aren’t yet GDPR compliant. Then again, this first year was relatively quiet regarding activity to enforce the regulation.
Overall, this year has been one of learning and continuing to ramp up to full enforcement as precedents from regulators are set.
Make no mistake, regulators haven’t been twiddling their thumbs. There are currently 18 investigations underway in Ireland by the Data Protection Commission, a lead regulator in the EU for companies with EU headquarters in Ireland such as Facebook, Google, and other high-profile tech giants.
FINES FOR THE NON-COMPLIANT
Fines are a key component of non-compliance and firms around the globe need to be aware of the travails of the unfortunate few who have felt the fallout from the GDPR hammer coming down.
The first documented GDPR fine was €400,000. The recipient? A hospital in Portugal that was allowing access to clinical files that was deemed improper by regulators.
At least 91 fines were served up during the first eight months of the regulation. These ranged from small fines, such as the €4,800 issued for a CCTV system in Austria that captured a public sidewalk, to larger instances, such as French regulators fining Google €50 million for using personal data inappropriately.
Importantly, the Google case highlighted that product design and consent are key components of GDPR compliance – not just how you respond to a data breach or manage cookies.
Additionally, while Ireland might be the EU business headquarters for many tech giants, as Google learnt, EU regulators view the location where privacy decisions are made as paramount when determining jurisdiction. As a result, regulators can still take action against non-compliant organisations even if they are not headquartered in that jurisdiction.
DATA PRIVACY IS MANDATORY
The single most important obligation under GDPR is for an organisation to recognise that data privacy is mandatory and proper management of data collection and processing can only occur under dedicated guidance.
That means the appointment of a Data Protection Officer familiar with the nuances of GDPR. That individual should review existing data collection activities and data processing relationships to ensure proper consent was obtained prior to the collection of data.
Disclosure processes can be crafted to address key governance issues like potential incident response mechanisms in the event of a breach, or the actual response mechanisms.
Businesses must have a legitimate reason to collect or process that data, what is known as “lawful basis”, and that doesn’t include an option of “because we wanted to do something cool with that data”.
For most organisations the four valid options for lawful basis include: Consent, contract, legal obligation or legitimate interests. Consent must be granted prior to data collection and can be revoked at any time. An opt-out model for collection isn’t a valid option as the French judgement against Google confirmed.
It may seem like legitimate interests can offer huge leeway to businesses to use people’s data but it must also meet reasonable expectations. For example, the proposed collection and processing options must be the within the realm of what a normal user might expect and be necessary to the delivery of that service.
WHY THE GDPR APPLIES TO YOUR ORGANISATION
Transactions include operations carried out by employees, other organisations’ data, and customers — even those receiving a free service.
While it might be tempting to assume that if your organisation only operates in a specific geographic region outside of the EU then no GDPR obligations exist, the reality is that if your organisation might interact with an EU resident and collect data during that interaction, then GDPR is something you need to be aware of.
Investment in compliance efforts can be costly for organisations. But it’s important to keep in mind that since privacy and security are closely related, the primary business advantage for comprehensive GDPR implementation is the safeguarding of customer goodwill.
Reputational and brand damage occur with any data breach. When a breach is disclosed, public confidence in the security measures employed to secure a user’s personal data are questioned.
Following a data breach, business operations may be impaired while addressing updated security and regulatory oversight for months if not longer, not to mention the fines or sanctions that could be imposed.
As with the French judgement against Google earlier this year, the fines can be substantial but the lasting impact might be to how products are designed.
In the end, improvements in privacy management pay dividends as consumer confidence in products and services that operate securely attract new customers.
Tim Mackey is Principal Security Strategist at Synopsys’ Cybersecurity Research Center (CyRC).