When GDPR came into force on May 25, 2018 and with it the prospect of hefty fines for organizations who fail to protect the personal information of EU citizens, many thought we would see a flurry of high-priced penalties. While we have seen a deluge of data breach notifications being filed with the Information Commissioner’s Office (ICO) — nearly 65,000 so far according to a new EU data protection board report — we haven’t witnessed the barrage of high-profile violations many people predicted. At least not yet.
Google is the one exception. As has been highly reported, French data protection authority CNIL issued Google a €50m fine for violating GDPR transparency rules and failing to have a legal basis for processing user data for advertising. Google is appealing the case. There have been other fines handed down too, but none come close to bearing the Google price tag.
One Year Later
One year into GDPR enforcement, regulators are busy investigating the thousands of breach notifications – and staffing up to meet the now-immense workload. The ICO has doubled their staff; Nordic regulators have increased their funding for growing legal case work, to name but two examples. We can expect that once the legal and investigative teams have completed their work, enforcement will begin and with that, high prices for non-compliance.
While regulators scramble to investigate the thousands of data breaches already in their pipeline (with more coming in every day) and teams of attorneys navigate new waters within the legal system, what can you do to ensure your organization won’t be making the wrong kind of headlines in 2019 and beyond?
Make Data Privacy an Organizational Priority
To be most effective, GDPR compliance must be an organization-wide effort. Here are five tips for integrating data privacy principles across all levels of your organization:
- Involve leadership and communicate clearly. Because data privacy must start at the top, let senior leadership or the Board of Directors know where the organization is regarding risks and mitigation action plans. Accountability for completion of planned actions should be communicated and enforced.
- Train employees. Clear and concise information on the importance of data privacy should be continuously made throughout the organization. Training on GDPR (or any other data privacy regulation) should be required for any employee who may access, process, transmit, or store personal information. Open dialogue with employees should be enabled to provide mechanisms for employees to share when privacy violations occur, or when policies, processes, or controls need improvement.
- Set guidelines for your partners. Open dialogue and communication between partners who process data on your behalf if your organization is a controller or if your organization is processing on behalf of a controller should be a priority.
- Test and audit. Testing and validation of data privacy processes and controls should be an ongoing initiative. Leverage internal audits to perform independent testing of processes and controls.
- Conduct incident response practice exercises. Control owners should perform table-top exercises to ensure that everyone is familiar with incident response procedures.
Because you can’t secure what you can’t see, another important step is to maintain uncompromised visibility and control over all of your endpoints, whether they are on or off your corporate network. Be sure to benchmark your security controls against compliance standards and stay audit-ready.
For more on how to lay out a path for harmonious ways to work within the law while also advancing technology, listen to our panel discussion with both legal and IT experts, IT on Trial – Guilty Until Proven Innocent?