May 25th is the one-year anniversary of GDPR becoming law. However, GDPR is not last year’s problem - the privacy and compliance challenge is never over! These calendar milestones do present an excellent opportunity to take stock of what has been achieved so far and ponder what lies ahead. To mark the anniversary, I met with IDC’s Research Director for European Security, Martin Whitworth to consider what we’ve learned in the last twelve months.
Our discussion highlighted the two very different approaches which global organizations took. One was to invest a significant amount in a programmatic approach, laying out clear plans and involving cross-functional teams. These organizations recognised GDPR as a privacy issue, and have treated robust data protection as an activity which offers a competitive advantage. “Many worked hard to become compliant,” said Martin, “with medium to large organizations reportedly spending an average of $3M on their programs.” The second approach was to spend far less, and see GDPR simply as a compliance issue. “In many cases, organizations just papered over the cracks.” Martin stated.
Security professionals may be relieved that the hype over GDPR has died down, but we must not forget the principles at the heart of the regulation. Martin claimed: “There were many nay-sayers who perceived the regulation as over-onerous, but they forget that GDPR is all about the personal data, the citizen and enforcing their rights.” He is concerned that many organizations only went through the motions, and regrets may ensue.
“At the moment we’re seeing a state of manual compliance, where people have put some processes in place, perhaps a few new policies; in short they’ve done enough to satisfy a quick glance by internal audit. However, this sticking-plaster approach hasn’t been tested yet.”
So far, we’ve seen some fines handed out by the regulatory authorities, notably the €50M Google fine by France’s CNIL (the local data protection authority); but only about 150 “newsworthy” fines from a projection of around 90,000 breach reports across Europe. To help people review and develop their programs, Martin offered five lessons from GDPR implementations so far:
- Keep a watchful eye on the regulators - Regulatory enforcement is still an unknown. Regulators have been issued guidance but are still determining how far to exercise their powers. Remember, it’s not just fines – enforcement can take many approaches.
- Privacy needs to be business-as-usual - Subject Access Request (SAR) Workflows are crying out for automation. If you can’t supply all information for a SAR then you can’t execute other rights like the right to be forgotten or a right to rectification.
- Big data is the BIG challenge - Many organizations went for over-compliance and deleted too much data at a cost to the business.
- Data Protection is back on the agenda - Data protectionism is on the rise – for many reasons, but led by privacy concerns. New laws are being created in non-EU countries like the U.S., Canada, Brazil, Australia and China, which may have a knock-on effect on international data management.
- It's not just about compliance –GDPR is more important than simple compliance, it’s about respecting the privacy of the individual.
There is an existential threat to organisations who fail to understand the importance of GDPR. We are one year on but GDPR is not over, it’s part of doing business and a continual process. Those that invested well and took a programmatic approach will be well positioned for the future. Those that took it as a tick-box compliance exercise may well find themselves exposed.