GDPR made many warnings and still do. The point is, 18 months on, why the headache of GDPR compliance from before its enactment still remains.
The implementation of GDPR aimed to create a safe and reliable world; however, this was undermined by how vague it was in part. The core criticism of GDPR that it enforced rules but did not explain what the regulation was trying to solve. Therefore, the initial resistance to GDPR resulted in the change of external-facing policies.
Regulators imposed fines for violating the rules, on companies back to back. But this summer, huge penalties imposed on well-known companies such as Facebook, Equifax, Uber, Google, British Airways and Marriot. All fines have the same reason, negligence, and misuse of the personal data of consumers. In other words, this year will be known for substantial penalties levied on large organisations.
This post GDPR headache will linger on as far as the process of assigning fines over data misuse is going on. Five ways have been identified, in which GDPR has impacted the industry.
1) Missing deadlines
The Ponemon Institute and McDermott Will & Emery reported that more than 1,200 international organisations say, GDPR implementation is quite challenging than every other data privacy and security requirements.
Richard Weaver, chief data protection officer at FireEye, said in an August interview with CIO Dive “You want to know what’s expected of you. But regulations don’t define what “appropriate” security is, and it can be challenging to try to reach out to data protection authorities for guidance proactively.”
Research has found that many of the organisations missed the deadline of May 25, 2018. However, one-quarter of EU enterprises reported that they accomplished compliance in 2019. Whereas, in the US, 36% of the organisations reached compliance until now.
Mark Schreiber, a partner at McDermott Will & Emery, told CIO Dive, “GDPR covers companies outside the EU, and it has robust data subject rights that require backend processes. The US companies are just getting used to that.”
2) Calling out breaches
A survey found that more than half of the companies encountered data breaches and did not inform the relevant national regulators. And, 46% of companies experienced at least two breaches that require reporting to the regulators.
Ashley Winton, a partner at McDermott Will & Emery, told CIO Dive,
“Historically, in Europe, there was no universal tradition of notifying breaches, and so we expected that it would take a while before companies become used to changing their behaviour. It is notable that such a large percentage are reporting breaches and telling for companies that have not yet made a data breach notification.”
It is noteworthy that the confidence to report a breach to the regulator is quite low in the organisations. 18% of the respondents informed that they reported a breach within 72 hours of discovery.
Winton further said, but not all breaches are reportable.
“An unavailable system or inappropriate security use, for example, are “not reportable.” Reports reserved for breaches that only impact consumers.”
“Even if a breach of a type that is reportable, if the breach is unlikely to result in a risk to the rights and freedoms of individuals then there is no need to report that breach either.”
3) Appointing a DPO
While preparing for GDPR, 90% of the organisation appointed Data Protection Officer (DPO). In 2019, the percentage has reached 92%.
In addition, in 2019, only 64% of the organisations conducted an assessment for compliance with regulations.
“It’s a particular title. And so many CTOs also hold that title,” said Weaver.
Make sure the DPO in your organisation understands the privacy laws and technological backend. Such as, how data is stored, collected and used by the organisation. It’s hard to find a single person having an understanding of both areas.
4) Keeping an eye on compliance
35% of the survey respondents didn’t even know what led them to face data breaches. Besides, negligent insiders, third-party threats and cyber-attacks are the leading cause of data breaches.
Winton said it’s a concern that companies do not understand the cause of the breach as presumably that increases the risk of the offense.”
In accordance with Weaver, “organisations identify IT security as the most responsible party for GDPR compliance. But the bottom line is the DPO doesn’t operate in a vacuum.”
5) Haunting penalties
Fines for non-compliance are the same as they were in 2018 and even before that. The thing is, GDPR was not in force earlier, but now it is, and still the ratio of penalties is constant.
Approximately, three-quarters of companies have a GDPR budget with 35% expecting the budget to get an annual renewal.
Another top concern of 38% of the organisation in 2019 is consumer rights.
Winton said, “It is interesting to see that some companies are adopting GDPR for their US operations even where not mandated by law. Perhaps they are taking the view that US law privacy law will move closer to the GDPR standard.”