It is well over a year now since the EU General Data Protection Regulation (GDPR) came into effect. It was a defining moment in the history of data privacy. It shone a spotlight on data protection, helping to turn it into a top priority for organisations worldwide. It engendered stricter laws in California, New Zealand and Brazil and a range of other states and countries.
According to the European Data Protection Board, regulators in 11 countries issued fines totalling €56 million for GDPR violations over the first year of GDPR. Recent months, however, have seen some particularly high-profile cases and heavy fines announced. In July, the UK watchdog, the Information Commissioner’s Office (ICO) issued notice of its intention to fine British Airways £183.39 million for GDPR infringements. The following day, the ICO reported that it intended to fine hotel chain, Marriott International $111.5 million for GDPR infringements relating to a 2018 cyber incident.
These two fines represent the largest so far meted out under the regulation. They represent a wake-up call to all businesses that the ICO is serious in its intent to enforce the law and that penalties and fines can be substantial. The apparent lull in major incidents following the onset of GDPR may have lured some firms into a false sense of security as the likelihood is that these kinds of fines will become a more regular occurrence over time. There are parallels to be drawn here with the Health Insurance Portability and Accountability Act (HIPAA) in the US. It took several years for fines to really start to ramp up following the introduction of HIPAA in 1996 but over time, they did become a regular occurrence.
In the US, around half the companies with HIPAA violations end up closing down. The same thing is likely to happen with GDPR. After all, the purpose of the ICO is to enforce the laws and protect the people, not come to the defence of the organisation, in fact just the opposite.
Putting a Plan in Place
So, given all this, how can organisations ensure they have prepared properly and fully for GDPR and how can they minimize any chance they may be fined for breaches in the future?
They must first and foremost take GDPR seriously. That means reporting on what they do and have done in terms of protecting their personally identifiable data. When asked how companies can ensure they follow GDPR best practice, I often say they need to do three things: document, document and document!
Some business people think that compliance comes down to knowing the terms of GDPR in exhaustive detail. In fact, knowing the law is only half of it. You’ve got to know your own company. More specifically, you need to understand what your company does and how it collects data. Is it part of your company’s DNA, or is it just something you do in a casual, offhand manner? The truth is: if it is not part of your DNA, you are probably missing something – and that has to be a serious concern for any enterprise organisation.
Running the Risk
By failing to ensure compliance with GDPR, any business is running some significant risks. In addition to substantial penalties that can quickly eat into the bottom line of the business, the biggest risks are to the company’s reputation and the goodwill shown to it.
Any company that fails to follow the stipulations of GDPR and experiences a data leak as a result opens themselves up to severe monetary penalties and fines; loss of future business, network downtime, ongoing legal fees, loss of customer trust and confidence, unhappy shareholders and poor employee morale.
They will inevitably take a severe hit and depending on their resilience and robustness as a business, they may even be forced to shut down. That’s food for thought for any business when they decide whether or not they should put the necessary measures in place to comply. GDPR is not going to go away and every organisation needs to ensure it has put its own house in order. There is no time like the present to do so.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.