It’s been one year since the General Data Protection Regulation (GDPR) came into play on 25th May 2018, and there have been many mixed emotions on the effect it’s had on businesses.
Some have praised GDPR, saying its had a very positive impact on the way personal data is handled and distributed, and it’s also raised awareness amongst employers about the right way to manage their customer data and privacy. Alternatively, it has caused some controversy and misunderstanding about what is now acceptable, and the big administrative fines have almost frightened businesses.
Now seems like the best time to revisit the topic, understand why getting on board is still so relevant, and recognise the true gains to mapping out an entire security landscape, inclusive of GDPR compliance.
The sands have shifted since May 2018, as more and more businesses have come to terms with the seriousness of GDPR. You have probably noticed the visible changes, for example in the marketing emails you receive, there are almost always clear options for opting in and out, or options for changing your preferences. Upon entering a new website, you will also see cookie options with the ability to accept or decline from the company obtaining your personal information.
People are fully aware of GDPR now, and the pressure is on to ramp up data privacy and security. However, although global spend on cyber security has generally increased, and adopting compliance strategies are on the rise, there is still a huge gap where businesses haven’t even begun to make changes. Since GDPR came into motion, there have been 59,000 data breaches within the EU, and 10,600 breaches in the UK alone (DLA Piper Data Breach Survey Feb 2019). Earlier this year, Google received the biggest fine so far of €50 million by the French DPA (CNIL), for their lack of transparency, inadequate information, and lack of valid consent for use of personal data in personalising advertising. We have also seen fines of £500,000 given to Facebook and Equifax – both in breach of failing to protect personal information.
The threat landscape is changing, and although this may seem scary, it is also giving businesses a huge opportunity to map out a grand plan – one that goes beyond just GDPR compliance.
The perception around security, is that businesses don’t see they are doing anything wrong. Clients haven’t had enough issues, or any that they are willing to admit, and so businesses are taking the risk. Also, the fines we hear about are being issued to global multi-million pound companies, so the belief is that the attention is always focused somewhere else.
Looking at the wider scope, businesses don’t see security as a high priority. If your system doesn’t get hacked, nobody has anything to say and everything is as it needs to be. As soon as something goes wrong, whether the network goes down or gets hacked, everybody complains about how bad the systems are, and how surely there should be better security measures in place to prevent these kinds of things. This requires a proactive approach.
Perhaps the problem is the lack of processes or simple practices being exercised. What’s essential to GDPR, and generally any business landscape, is having a clear-cut procedure or process in place to avoid mistakenly or inadvertently breaching the rights of their customers (by leaking their sensitive data). Rather than taking a reactive approach, i.e. by waiting for a hack to happen, or a fine to be issued, all businesses should be leaping at the opportunity to be proactive and encourage change both internally and externally. There are endless tools, processes, and actions that can empower your people to be more proactive. We often recommend starting with an audit.
What businesses haven’t embraced is the fact the GDPR is giving you an opportunity to drive growth, and educate your people on the importance of security on a larger scale.
Developing a security strategy that encompasses GDPR, along with security controls and preventative tools that puts your whole business under protection, is what we should all be striving toward.
What matters is value. Essentially, you wouldn’t leave your house for the day with all the doors and windows open. So why aren’t businesses applying the same level of protection to their hard work? You wouldn’t leave the office without locking your computer, or not have a password for your network. Adopting the mentality that security decisions will add value in this changing landscape, will ultimately transform how your business operates. People will become more aware of the importance of cyber security as a whole, think about the ways they conduct things in their daily work life, and therefore be more attentive to the handling of data.
Why not take the first step today? Educate your people. Remind them that it's been a year since GDPR and the hype around data protection prevails. Ask them how they handle client data on a daily basis. Give them recommendations on how they can improve data security. Ask them for ideas on how to improve actions and processes going forward that is aligned with the regulation.
We know it’s not easy to adopt change without a full understanding of the relevance or importance of it, but this will always be the case with security and data protection. If there is ever a time to put security at the top of your checklist, it is now.
Concentrating more specifically on GDPR, it’s fair to say that although a lot of businesses aren’t making changes, more and more people are reviewing their privacy policies. The talk around the seriousness of GDPR and the repercussions if you face a violation will continue to give businesses the kick they need to drive change.
There are plenty of things you can be doing that will improve your stance. We've mentioned educating your staff, and carrying out a GDPR audit. But take the time to figure out what's important to your business, and know we'll be here waiting once you've decided, to help you out!
Get in touch if you're interested to find out more about our specific GDPR offerings.