Senior Analyst from Forrester, Enza Iannopollo, recently joined me and Martin Sugden, CEO of Boldon James, one of our data discovery technical partners, on a webinar to discuss the evolution of data protection and compliance with regards to global regulations. We spoke to Enza to capture some of her thoughts.
Q: It’s been two years since GDPR came into force. What trends and changes in attitude have you seen during that time?
It is a given, these days, that enterprises need to concern themselves with data protection and keeping individuals’ and sensitive corporate data private. This is not only to satisfy regulators’ demands, but also to promote and protect customer engagement. It also enables digital transformation. To put it simply, privacy is not just for regulators, but for customers, partners and employees.
If anyone thinks that regulators have gone quiet since GDPR came into force, they would be wrong. Since GDPR became law, regulators have issued hundreds of enforcement actions, with regulators in the United Kingdom and Spain be particularly active. The Spanish regulator - Agencia Española de Protección de Datos (AEPD) - has issued the most enforcement actions, while the Information Commissioner’s Office (ICO) in the UK has cost businesses the most money. Failure to meet requirements around principles of processing of personal data and lawfulness of processing are the most common reason to trigger an enforcement action, but it’s the lack of sufficient technical and organizational measures to ensure information security that costs to companies the most. Gaining full visibility and awareness of what data companies have, where it is stored, and how it is accessed and shared are foundational elements of a sound data privacy and security program.
And, to think that this applies to companies in Europe only, it’s a mistake. Stringent privacy rules are quickly becoming a global trend. GDPR may have led the way, but there are many more privacy regulations emerging across the world – think of the California Consumer Privacy Act (CCPA), The Brazilian LGPD, or the new law expected by 2021 in India, just to mention a few.
Q: Do you think some companies simply pay lip service to privacy requirements?
Forrester’s research shows that customers are changing their behaviour based on how trustworthy they perceive a firm to be. For example, 52% of consumers in the UK have taken measures to limit the amount of personal data they share with apps and websites when using connected devices, and this number is broadly similar across EMEA. Forrester’s research shows that consumers are now voting with their wallets and calling out those organizations they see misusing personal data. Consumers are increasingly engaging with regulators directly to report situations that they recognise as detrimental to their privacy. For example, a few months ago the Dutch data protection authority had to issue guidance on how to manage cookie consent as a response to citizens’ pressure.
If companies believe that consumers don’t understand the technical details of data collection, or don’t care about the sharing and processing of personal data – that would be another misconception.
Q: What changes have you seen in companies’ attitudes to regulation?
We are now seeing, two years into GDPR enforcement, and as other data protection regulations roll out globally, a cultural shift in businesses’ approach. Compliance with data protection laws is no longer only a checklist approach, but companies are starting to integrate the principles of data protection into their business processes, operations, systems. The operationalisation of privacy has started.
There is still a lot of work to be done. There are companies that still take a “wait and see” approach. They are also taking a huge risk, fuelled by a short-sighted view on the privacy debate. We know regulators are acting, and we know that consumers care about their data, as well as their business partners and employees
Consistent data security must be maintained no matter where the data resides. Data protection policies must be based on true business risks: therefore, strong working relationships between IT and data science teams must be built. It’s hard to truly understand the critical data paths within an organization: but this is a key first step.
Q: If you could summarise your advice into five key steps, what could they be?
- Target and cross reference existing and upcoming data protection regulations
- Align privacy programs to overarching governance frameworks
- Establish robust oversight and accountability structures
- Prepare for a significant increase in data subject right requests
- Don’t be complacent: enforcement actions are going on
For more information on how you can simplify security controls with data classification from Boldon James and Forcepoint’s DLP solutions, you can also listen to part two of our data protection series: Data Discovery and Classification, By Design Part 2 - Simplifying Security Controls.
Organisations are revisiting the way they manage and protect their data, adopting a more strategic perspective than ever before. As they undergo digital transformation, store vast volumes of data and contend with regulatory requirements, many businesses seek parallel protection and labelling solutions for effective control.