Four years on companies still struggling to ensure GDPR compliance, writes AJ Thompson, pictured, CCO, at the IT consultancy Northdoor plc.
GDPR is now four years old. Introduced with great fanfare and huge publicity in May 2018 the regulation was meant to ensure the better protection and use of data. However, in the years since, there has been huge change in the business landscape. The pandemic and as a result of lockdown a move towards remote working (allowing companies to recruit across country boundaries), Brexit and an increase in globalisation have all had a huge impact. Just in the last few months we have seen a remarkable increase in geo-political issues, rising energy prices and inflation all negatively impacting society and businesses.
The world is more complex than ever before and cyber criminals know it. The last few years have seen an increase in the levels of sophistication of cyber threats. As a result, the need to keep data security and risk management processes up to date has become critical.
ICO fines regularly
Unlike some regulations that have been introduced over the last decade we have seen an immediate impact of GDPR. Data commissions across Europe have been proactively enforcing the regulations with multiple fines or threats of fines coming at regular intervals. These fines have been aimed at companies of all sizes from SMEs to some of the largest companies in Europe. Some sectors have had to be on the front foot when it comes to ensuring compliance because of the highly sensitive nature of the data that resides within their infrastructure. The financial and insurance sectors for example have introduced additional regulation that compliments GDPR, ensuring that companies within the sectors have increased operational resilience and a reduction of risk.
However, despite the efforts in some sectors, others have stalled in their focus on data security. After the initial ‘panic’ that set in after the high-profile launch of GDPR, many companies have sat on their hands, presuming that after achieving initial compliance that the job was done. This was not helped by a weakening of legislation which changed to state that companies only needed a plan of their plan, rather than to necessarily implement it. As a result, some companies have tended to sit back and put their heads in the sand about the increasing threat to data from cyber criminals and their own internal handling processes.
Compliance is not a tick-box exercise
Complacency is a common issue for many regulations. However, GDPR is focused on protecting data and so companies should see this not as a box-ticking exercise but rather an important effort to protect customer data. Any breach resulting from a lack of priority placed on data can result not just in financial penalties but a huge hit to reputation too.
Despite achieving adherence back in 2018, many companies are now some way behind the curve in terms of compliance, simply by doing nothing for four years. Unfortunately for them the GDPR compliance journey is not box ticking exercise but rather a journey that needs to be constantly reviewed and amended.
This lack of proactivity has meant that many are no longer compliant and either do not realise it or are happy to keep their head in the sand. This mentality not only puts their data at risk but means that there is a real chance that the ICO will catch up with them. As of April 2022, there were more than 1000 fines handed out, with the total amount of GDPR fines at a staggering 1,612,193,292 euros. The early days of GDPR these fines tended to be as a result of massive data breaches where cyber criminals had secured access to sensitive data.
However, since then the focus has shifted a little. Although large hacks are still under investigation and companies fined, data commissions from across Europe are looking more into the poor internal processes within companies that can lead to data breaches or poor use of data, rather than just the breaches themselves. This means that those companies happy that their adherence from 2018 is still valid might be in for a costly shock.
The constantly changing regulatory landscape reinforces the fact companies have to see GDPR compliance as an ongoing process. Further proving this is the increase in Subject Access Requests (SAR). This is where an individual has the right to see what data a company holds on them and how they are using it. These requests, although not seen in huge numbers yet, can cause a real issue for some companies. Unless specific processes are in place and an ongoing, up-to-date record kept, that accessing the information can be a time consuming and painful task, but one that all companies are obliged to undertake.
The industrialisation of processes is a must to ensure adherence
Whatever the current status of a company’s data protection and protocols, ‘industrialising’ these processes is a must if they are to keep up with an increasingly complex and demanding regulation such as GDPR.
So, what do we mean by industrialising the process?
Essentially, we believe that embedding all compliance processes into business-as-usual practices. This ensures that they become high automated which means that instead of relying on one or two people within an organisation to ensure compliance it happens automatically. This means that any new rules are recognised and implemented without having to be manually checked and changed. As we have seen over the past two years applications are constantly being reviewed to see whether they are in line with GDPR rules. If any changes are not recognised and implemented by companies, they suddenly find themselves no longer compliant and at risk of being fined.
After the fanfare of launch in 2018, many companies have let inertia creep into the attitude about GDPR. With the fourth anniversary just passing now is a good time for companies to relook at the adherence, their internal processes and their staff’s knowledge of the regulation.
Without this many companies could fall foul of the ICO by simply not fully understanding what the regulation is and what falls under it, rather than being victims of a high-profile data breach. The result of being pulled up by the ICO is not just financial. The last four years have seen the ‘threat’ of fines a more common approach from data commissions, rather than the actual collection of money. This in itself though has proved disastrous for some.
The high-profile nature of GDPR means that customers have more of an idea about the nature and value of the data being held by companies. They are more discerning as to the type of company they are willing to share data with or deal with. The hit on a company’s reputation as a result of being held up by the ICO as an example can have much larger and more long-term impacts than simply a fine.
Automating the internal GDPR processes means that much of the uncertainty is taken away. Companies can be more confident that they are adhering the latest version of the regulation, as well as, most importantly ensuring that the data they hold is protected and used in the most secure and responsible way possible.
