GDPR and Cybersecurity: Embrace Governance for Stronger Results

Download the full publication below:

Data is more important than ever

Gaining key insights from data analytics is extremely powerful for any organization in the market today whether it is used for products, services, customer interaction, vendor discussion, or even employee management. In the process of acquiring and utilizing the data, organizations are now held to a higher standard of protecting this information. Adherence to regulatory compliance requirements are mandatory and can provide a unique opportunity to be a differentiator in the market place.

The path to compliance is challenging...

General Data Protection Regulation (GDPR) is a perfect example of how challenging compliance and adoption can be. Following the May 25, 2018 GDPR deadline, many companies worldwide are still working towards compliance.  According to a Cisco survey of 3,200 privacy and security and professionals in 18 countries, eight months after GDPR came into force, only 59 percent of all companies were meeting most/all of the GDPR requirements, 29 percent expected to do so within a year and 12 percent said they would take more than a year. In particular, 57 percent of companies in the United States reported being GDPR-ready.

…and requires resources.

In working towards compliance, a Deloitte survey found that six months after the deadline, 70 percent of the 1,100 firms surveyed reported that they had seen an increase in staff that are partly or fully focused on GDPR compliance (with there being little difference between EU and non-EU countries), and 87 percent of all firms had appointed a Data Protection Officer (DPO) (with there being little difference with US firms at 86 percent).

These survey results show that both EU and non-EU countries are quickly improving their compliance position, though, for many companies, significant changes in the processes and technologies used to manage customer data still lie ahead.

Resources that generate benefits…

For companies that are GDPR-compliant, benefits have already been favorable from these proactive privacy investments. The Cisco survey found that compared to companies who are expecting to take more than a year to meet GDPR requirements, GDPR-ready companies were less likely to have experienced a breach (74% vs. 89%); and when a breach had occurred, fewer records were impacted (79,000 vs. 212,000), and there was a shorter window of system downtime (6.4 hours vs. 9.4 hours). In addition, avoiding hefty fines was not the only financial benefit - only 37 percent of GDPR-ready companies had a loss of over $500,000 last year from data breaches compared to 64 percent of the least GDPR-ready companies.

Thus, GDPR is enhancing data security and boosting consumer confidence, while reducing costs associated with breaches.

…and better results than enforcement alternatives.

Under the GDPR, EU member states’ supervisory authorities, and data protection authorities (DPAs) have powers to ensure adherence to GDPR principles and the rights of data subjects. Supervisory authorities are allowed to take corrective measures to address infringements. One of the most important enforcement tools are GDPR fine violations: up to 4 percent of global revenue or €20 million (approximately US$23 million), whichever is higher. As DPAs continue to grow and develop, it is expected that the enforcement of GDPR will pick up in both speed and costs.

GDPR case examples include:

• The UK’s DPA, the Information Commissioner’s Office (ICO), issued the first GDPR Enforcement Notice in July 2018 against Aggregate IQ Data Service Ltd. (AIQ), a Canadian data analytics firm linked to Cambridge Analytica. The ICO Notice expressed concern with AIQ’s use of personal data to create targeted messaging on behalf of various UK political organizations. AIQ has since appealed the Notice and that appeal is still pending.
• Germany’s DPA imposed a fine of €20,000 on a provider who failed to implement adequate security measures, resulting in a data breach that left the personal data of 333,000 users of a chat platform publicly available to hackers.
• The Austrian DPA imposed a fine of €4,800 on an entrepreneur for illegal video surveillance activities because the CCTV camera in front of his establishment also recorded a substantial section of the sidewalk.
• The Portuguese DPA imposed a fine of €400,000 on a Portuguese hospital for failure to implement adequate security measures because its account management practices were found to be deficient.
• French regulators presented Google with the first major GDPR violation fine, nearly €50 million (US$57 million) in January 2019. Regulators began investigating Google on May 25, 2018 (the day GDPR went into effect) in response to concerns raised by two groups of privacy activists. The investigation revealed that Google failed to fully disclose how users personal information was collected and what happens to their information. The tech giant also did not properly obtain users’ consent for the purpose of showing them personalized ads.

These case examples and fines illustrate the measured way data protection agencies are carrying enforcement requirements to organizations of all sizes, industries, and geographic location. These early case examples are a call to action for every organization to be diligent in the protection of data.

Cybersecurity compliance is growing

GDPR has motivated governments outside the EU to adopt their own data protection laws to keep in line with requirements:

• Brazil has recently passed its own GDPR-style law, and a draft of a GDPR-inspired data protection bill has been submitted to India’s legislature.
• In the United States, the State of California passed the California Consumer Privacy Act (CCPA), which provides GDPR-like protections and gives California consumers broader access and control over their personal information. This law comes into effect in 2020.
• Talks of a national law have also begun at the federal level, as congressional leaders in both parties have expressed interest in data privacy legislation.

Recommended steps to embrace governance

2018 laid the groundwork for GDPR and 2019-20 will ensure enforcement. Moving forward, data regulations and laws will continue to have a global impact on every organization. Each regulation is unique, but they have a common call to action that organizations must address:

• Ensure proper governance, compliance, and policies are in place to compete long term.
• Adjust to the 'new normal' of privacy rights and mobilize stakeholders to 'future-proof' new structure models that accommodate granular levels of control.
• Review enterprise technology architecture and strategic partnership policies to ensure compliance of internal and external teams.
• Ensure repeatable processes to identify, document, and nurture EU citizen clients appropriately preserving, protecting, and guarding data.

As we know, GDPR is just the start. Several countries have passed recent regulations and expect many more to follow within the next few years. Take time to understand the needs of your compliance journey and work towards adherence to ensure future success. Partnering with advisory experts will help make sense of the complexity, bring alignment to teams and build enterprise-wide solutions that position your organization for future success.

Sources:

1. Cisco. (2019, January). Maximizing the value of your data privacy investments: Data benchmark study. Retrieved from https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/dpbs-2019.pdf
2. Deloitte. (2018). A new era for privacy: GDPR six months on. Retrieved from https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/risk/deloitte-uk-risk-gdpr-six-months-on.pdf
3. XPAN Law Group. (2019, January 15). Where are we now? Six months into the GDPR. Retrieved from https://xpanlawgroup.com/where-are-we-now-six-months-into-the-gdpr/
4. Romm, T. (2018, January 21). France fines Google nearly $57 million for first major violation of new European privacy regime. The Washington Post. Retrieved from https://www.washingtonpost.com/world/europe/france-fines-google-nearly-57-million-for-first-major-violation-of-new-european-privacy-regime/2019/01/21/89e7ee08-1d8f-11e9-a759-2b8541bbbe20_story.html?utm_term=.1864bed3ad76
5. Feiler, L. (2018, December 18). Takeaways from the first GDPR fines. Retrieved from https://www.lexology.com/library/detail.aspx?g=a91ba97a-eae9-408c-a53f-c47d1c6d62e
6. O’Brien, D. (2018, December 28). The year of the GDPR: 2018’s most famous privacy regulation in review. Retrieved from https://www.eff.org/deeplinks/2018/12/year-gdpr-2018s-most-famous-privacy-regulation-review
7. Pimentel, A. & Schreiber, M. (2018, November 5). GDPR 6 months after implementation: Where are we now? Retrieved from https://www.ofdigitalinterest.com/2018/11/gdpr-6-months-after-implementation-where-are-we-now/
8. Kerry, C. (2019, January 7). Will this new Congress be the one to pass data privacy legislation? Retrieved from https://www.brookings.edu/blog/techtank/2019/01/07/will-this-new-congress-be-the-one-to-pass-data-privacy-legislation