GDPR – One year on

A blog from guest author Duncan Brown, EMEA Security Strategist at Forcepoint

GDPR has had a major impact on companies in the UK, as people were scrambling to become compliant – or at least to understand how compliant they were, and then make decisions on what to do next. There are many firms who spent millions investigating and protecting the personal data they held – but there are just as many who did not act. Essentially, we’re looking at a state of manual compliance. Companies across the region have introduced new processes and policies – enough to satisfy an internal audit – but they haven’t yet been tested.

Since GDPR became law, we’ve seen 90,000 breach reports across EMEA – but only 150 newsworthy fines being issued. The biggest example is Google’s €50M fine by the French data protection organization CNIL for a lack of transparency over how personal data in advertising was used.

This illustrates perfectly how regulatory enforcement really is still an unknown. While regulators have been issued guidance, they are still determining how to exercise their powers. Enterprises should keep a close eye on the news to watch how regulators act in the months to come.

One positive trend we have seen is privacy becoming “business-as-usual”. In many cases it means cultural change: but there are ways to automate and operationalize compliance. With huge news stories like the Facebook-Cambridge Analytica scandal over data misuse, I think companies worldwide truly understand the impact of ignoring privacy, and the legal framework of GDPR underlines this.

In terms of advantages, it’s always good to understand what data you hold and where you hold it! GDPR may have been a forcing function in auditing customer and other personal data, but more than this, the regulation has made organizations examine their supply chains and partners, their data flows, and their security policies and processes.

We have seen some organizations significantly challenged through “over-compliance” – deleting data they didn’t need to remove. In some cases I’m aware of, it’s cut companies’ marketing databases by up to 90% – although one could argue that this extreme data cleansing presents an opportunity for a fresh start, building genuine and engaged prospect mailing lists and increasing the chances of a positive outcome to marketing.

GDPR is by no means the only regulatory actor on the stage. It is being closely followed by a global wave of privacy regulations as other regions look to protect the rights of their citizens. Developments in the United States could potentially create the next seismic shift in how global organizations operate. The Californian Privacy Law was created in 2018 and mapped closely to GDPR. This combined with existing financial and healthcare privacy laws in the US could lead us directly to a federal privacy law.

For those in the UK already up to speed with GDPR, it give us a moment to relax as we’re ahead of the game. Or, it could move the protection of personal data up a notch. I look forward to seeing what changes in the next twelve months.

If you are unsure if you are GDPR compliant, it’s not too late. Contact HANDD today and find out how we can help you in partnership with Forcepoint.