The European Union’s General Data Protection Regulation (GDPR), which is celebrating its first anniversary on May 25, 2019, has had a significant impact on personal data protection. All companies doing businesses with other companies located in the EU must comply with the law or face hefty fines.
According to one of the rules, a company must reveal any known breach within 72 hours through proper channels or penalties for non-compliance could cost the organization upwards of €20 million or four per cent of its yearly worldwide revenue, whichever is higher.
Companies also need to demonstrate that they have proper controls in place for processing and security of personal data, including how data is used, stored, accessed, transferred and deleted.
What practical changes have been made in one year?
The reality is that most organizations have done the bare minimum when it comes to data handling and storage, Jasmit Sagoo, Senior Director for Northern Europe at Veritas Technologies, said.
“Generally, they’ve aimed to remove risks in two ways. First, deleting old data that is no longer necessary. Second, by taking steps to reduce the risk of litigation. This could be through consent forms on websites that ask customers to allow them to use their data, or through emails informing customers of the new GDPR rules and that they hold information about them,” he said.
Rather than correcting underlying data management challenges, he said that these organizations are simply doing just enough to avoid any legal issues.
Accounted data breaches
According to law firm DLA Piper, there have been more than 59,000 personal data breaches notified to regulators till January this year. The Netherlands, Germany and the UK had the most data breaches notified to supervisory authorities, with around 15,400, 12,600 and 10,600 respectively.
To date, 91 reported fines have been imposed under GDPR though not all of the fines imposed relate to personal data breaches. According to the law firm, the highest fine imposed is €50 million by the French data protection authority –CNIL – made against Google in relation to the processing of personal data for advertising purposes without valid authorization.
However, many organizations are still waiting to hear from the regulators whether any action will be taken against them in relation to the breaches they have notified and more fines are expected to be revealed in the coming months from a large backlog of notified breaches.
“This relaxed approach to data protection is being driven by the lack of GDPR fines and reprimands for companies that have fallen foul of the regulation,” Sagoo said.
However, he said that there is one way that GDPR has worked - improving transparency.
Sagoo states that high-profile data breaches have made consumers “increasingly cautious” about what data they share, where it’s being stored and who it is accessed by.
Alister Shepherd, Director for Middle East and Africa at Mandiant, a unit of FireEye, said that GDPR, so far, has been more around internal handling of data rather than based on cyber-attacks.
“We haven’t seen any big GDPR sanctions or punishments as a result of cyber attacks but it has improved the security and awareness around personal data,” he said.
Research by Veritas Technologies found that poor data protection can have a dire commercial impact on companies - 56% of consumers would dump a business that fails to protect their data, and 47% would abandon their loyalty and turn to a competitor.
When organizations had a breach in 2018, Sagoo said that they took “corrective measures” to reach out to customers and allowed customers to update their passwords and protect themselves. In an era of fake news and corporate suspicion, he said that this honest approach has truly benefited the consumer.
“However, transparency alone is not enough. Going forward, it’s likely that law firms will begin to monetize GDPR by encouraging consumers whose information has been misused to seek compensation, and those organizations that have taken shortcuts may wish they hadn’t,” he said.
As part of the preparation, he said that businesses need to ensure they have full visibility and control of the data they hold. “It’s critical that they make use of technology that can help them locate, protect and manage data before it’s too late,” he said.
Moreover, growing security and privacy concerns have driven increased legislative and regulatory activities around the world.
More countries to follow
Shepherd said that local regulations are coming in or being considered, following the GDPR. In the Middle East region, he said that security and maturity are very low compared to other regions but GDPR is helping it.
Many countries such as Canada, Brazil have passed new privacy legislation similar to GDPR while California passed a privacy law considered to be the toughest in the US to date.
In the region, Turkey has PPD (protection of personal data); in South Africa, it is called Protection of Personal Information Act (PoPI); Saudi Arabia has its own data protection law based on Sharia and the UAE has National Electronic Security Authority (NESA).
More countries are expected to follow the growing security and privacy concerns about personal data.