A changing business landscape
It is hard to believe that GDPR was introduced four years ago, in May 2018. The business landscape has changed dramatically since then, with the impact of the pandemic, Brexit, increased globalisation, a ‘work from anywhere’ mantra enabling organisations to recruit across country boundaries. More recently escalating geo-political issues, rising energy prices and inflation have made their mark on business and society.
Today, we live in a complex world. A world with escalating cyber threats and one where we need to keep our security and risk management processes up to date as data leakages, breaches, phishing attacks, ransomware and other types of threats to the business can come from anywhere.
Indeed, the rising threat of ransomware means that any form of cyber insurance is now increasing significantly in price and cyber insurers are starting to refuse to pay out for ransoms.
Heavily regulated industries lead the way while others pay lip service
As we consider the impact of GRPR and whether it has been successful over the past four years, compared to other types of regulation, what we can see is that there have certainly been more fines or threat of fines against companies of all sizes. Likewise, it is clear to see that heavily regulated industries like the financial services sector are the ones that are leading the way. In fact, the financial services sector, and in particular the FCA, has just introduced additional regulation, in the same vein as GDPR, which focuses on operational resilience and reducing risk.
That said, the ICO knows it still has a significant job to do to encourage companies to take the necessary steps to ensure compliance. For example, there is talk of new government legislation coming into force to mandate that organisations review supply chain risk.
At the time GDPR came into force, it was certainly high profile and prompted many companies to immediately start working out what they needed to do to become compliant. However, after the initial panic and rush of activity, plus the subsequent weakening of the legislation, which now states that companies only needed a “plan” of their plan, the impetus around GDPR is waning, especially for non-regulated industries.After the initial panic around GDPR compliance, many organisations' efforts came to a standstill. However, compliance is an ongoing activity & companies should commit to a proactive effort to deliver more than a plan. Click To Tweet
GDPR compliance is not a one and done activity
Back in 2018, many organisations focused on creating a fit-for-purpose compliance programme. And while many will have drawn a line under this, saying that the organisation is now ‘compliant’, unfortunately the compliance journey is not a project that is ‘one and done’.
Compliance needs to be an ongoing activity of best practice and adherence to ever growing and changing compliance regimes. However, most organisations did what they needed to do to achieve a basic level of compliance, but there has been little evidence of a pro-active stance since.
As of April 2022, the total number of GDPR fines exceeds 1,000 and the total amount of GDPR fines is €1,612,193,292. During the first couple of years most of the fines related to huge data breaches whereby cyber criminals gained access to sensitive or PII data.
However, as data commissioners across Europe started to look deeper into data management, more recent investigations have tended to focus on internal procedures with fines relating to poor internal processes within companies, rather than a specific data breach. Unfortunately, this means that those who think they are safe from investigation because they have not been breached by criminal activity are living in ignorance. The need to ensure that all data processes are adhering to GDPR and that robust GDPR solutions are employed is just as critical today as it was four years ago.Largest GDPR fine is €746,000,000 for Amazon Europe in July 2021 in Luxembourg Click To Tweet
Since GDPR was implemented, this meant that individuals had more rights over the data an organisation might be holding and here at Northdoor we experienced an increase in Subject Access Requests (SAR). While there hasn’t been a stampede for these, even a small number of requests can represent a major distraction and drain on resources for an organisation. Likewise, this is increasing demand for data masking (pseudonymisation) solutions and encryption, with many organisations appointing a data protection officer (DPO), but these are in short supply and many companies struggle to find and retain a DPO with the right skills.
Furthermore, the industry is witnessing an increase in supply chain data breaches across the board, and this is prompting more organisations to carefully vet their supply chain and their supplier onboarding processes. Additionally, the more recent uptake of Zero Trust models and strategies points to the on-going development of more robust data security practices and this is certainly a framework that organisations are putting in place to protect their organisations.
Why the industrialisation of GDPR is so important?
So, indirectly, compliance and GDPR are influencing programmes but, four years on, is there more that organisations should be doing?
Here at Northdoor we advocate for the industrialisation of GDPR compliance processes, so that they are embedded into business-as-usual practices such that they become near-on invisible, highly automated and this means that teams can be confident that they have GDPR covered. This takes the emphasis off individuals being responsible for putting such processes in place and ensures that current processes are in line with the regulation, making sure that any changes to the rules are immediately recognised and implemented.
In summary, those organisations that have let inertia creep in should take note that nothing has fundamentally changed since the day GDPR was enforced. Ultimately this means that every company should relook at their adherence to the regulation, implement solutions that help manage this process and keep employees up to date with the latest changes. If companies don’t do this, they are putting themselves at real risk of suffering potentially damaging fines, impacting not just finances but reputation and potential loss of business.
Establishing organisational processes and taking on comprehensive GDPR solutions will make the implementation of GDPR easier and more effective. Don’t let your organisation be the next headline ICO fine.