By AJ Thompson, CCO, Northdoor
The introduction of the General Data Protection Regulation (GDPR) in May 2018 brought with it a fanfare of publicity and dire warnings of the consequences of not being compliant. In the face of such overwhelming noise it is easy to presume that most companies immediately made changes to their policies in order to become compliant.
However, this was not the case. A number of new surveys undertaken in May 2019 has shown that many companies are still struggling to implement, if not apparently completely ignoring the regulation. Research has found that over 75% of organisations could be struggling with GDPR compliance, with only 23% of businesses believing their compliance capabilities were ‘very good’.
Regulatory bodies crying wolf?
The reasons behind organisations being so far behind the curve when it comes to GDPR regulation adherence is varied, but it’s tempting to point to the introduction and enforcement of previous regulations.
There have been multiple regulations introduced over the course of the past twenty years that focus on data, privacy and security.
A good example is PCI-DSS (Payment Card Industry Data Security Standard), which is an information security standard for organisations that handle branded credit cards. Its roll-out in 2006 was meant to ensure that all companies dealing with major credit card records had to be compliant or face severe consequences. Despite the threat of major fines and the associated reputational damage, many companies remain uncompliant.
This is just one example which shows why so many companies have not taken the warnings around the GDPR launch as seriously as you might think – perhaps because of the little follow-through from regulatory bodies.
GDPR making an impact
The difference with GDPR has been clear almost right from the point of its introduction. There has been a raft of enforcement notices and intention to fine rulings, the first coming just two months after its implementation. This is some contrast to other regulations and certainly should act as a warning to those perhaps not taking GDPR seriously enough.
In the UK, the Information Commissioner’s Office (ICO) has made its intentions very clear. It has hit high profile brands such as BA and hotel chain, Marriot, with intention notices, threatening to fine huge amounts (BA = £189.39m, Marriot = £99m). By March 2019 over 200,000 cases had been reported across Europe and there is no sign of this slowing down.
Indeed, the most recent data breach was in August of this year when biometrics data stored by Korean company Biostar 2 was breached. More than one million fingerprints and a host of usernames and passwords have been exposed on an unsecured database hosted by the security platform that lists the Metropolitan Police among its clients. The breach took place on the 5th August and wasn’t resolved for eight days. The Information Commissioner’s Office has confirmed it is aware of the breach and is making enquiries into the incident.
The fact that the ICO and its equivalents across Europe are proactively chasing companies they believe are not GDPR compliant should be a warning sign to all organisations.
Not just ticking boxes
For those companies that have gone through the process of compliancy it is crucial that they remain focused and attentive to the changing regulatory and security landscape.
The regulations are changing, iteration to iteration, and with security threats becoming more sophisticated all the time, companies need to remain on top of things. As such compliancy cannot be a tick box exercise and should be an ongoing process.
Only 29% of companies that have been validated for PCI DSS remain compliant after a year for example. GDPR is likely to be a moving beast and companies have to remain flexible in their approach if they are to remain compliant and avoid the threat of fines.
Many firms put in temporary solutions due to the fact that there was no legislative plan, which led to manual data discovery, manual data redaction and manual supplier risk management. These processes are, on the whole, unreliable, cannot scale and are non-repeatable.
These companies in particular have to keep a flexible approach to their GDPR policies and as quickly as possible implement automated solutions to ensure adherence. Automated vendor on-boarding, risk assessment, security and compliance and continuous threat monitoring are crucial in order to remain compliant.
More than just fines – reputational damage
Aside from the threat of huge fines, the amount of publicity surrounding each company hit by the ICO is huge.
The media interest and scrutiny around the introduction of GDPR in 2018 means that the public are now very aware of the value and vulnerability of their data. Any company charged by the ICO will not only pay a fine, but also be hit with major reputational damage.
Consumers will quickly lose trust in companies that are perceived not to be taking their responsibilities towards consumer data seriously. Companies need to get their heads out of the sand and take their efforts to becoming GDPRcompliant to an industrial level.
Time to industrialise your GDPR process
With regulatory bodies across Europe remaining proactive in their approach to GDPR and the implementation of enforcement orders and fines, companies cannot ignore this as they might have with other regulations.
The amount of publicity surrounding the introduction of GDPR has meant that the ICO and others have had to act quickly and decisively.
The nature of the regulation means that the processes you have in place do not just have to cover your own company, but those across your entire supply chain. Manual processes simply are unable to stand-up to this kind of breadth and detail and therefore the industrialisation and automation of GDPR compliancy has to be the next step for many companies.