$57 million fine... The sizable judgement against Google by the French regulators due to violations of General Data Protection Regulation (GDPR) earlier in 2019. Headlines like these are top of mind for business leaders across the globe. How does your organization ensure the right balance of risk management, data governance and cybersecurity controls are in place to compete in the digital age? Embracing these risks and designing clear governance strategies are key.
Gaining key insights from data analytics is extremely powerful for any organization in the market today whether it is used for products, services, customer interaction, vendor discussion, or even employee management. In the process of acquiring and utilizing the data, organizations are now held to a higher standard of protecting this information. Adherence to regulatory compliance requirements are mandatory and can provide a unique opportunity to be a differentiator in the market place.
General Data Protection Regulation (GDPR) is a perfect example of how challenging compliance and adoption can be. Following the May 25, 2018 GDPR deadline, many companies worldwide are still working towards compliance. According to a Cisco survey of 3,200 privacy and security and professionals in 18 countries, eight months after GDPR came into force, only 59 percent of all companies were meeting most/all of the GDPR requirements, 29 percent expected to do so within a year and 12 percent said they would take more than a year. In particular, 57 percent of companies in the United States reported being GDPR-ready.
In working towards compliance, a Deloitte survey found that six months after the deadline, 70 percent of the 1,100 firms surveyed reported that they had seen an increase in staff that are partly or fully focused on GDPR compliance (with there being little difference between EU and non-EU countries), and 87 percent of all firms had appointed a Data Protection Officer (DPO) (with there being little difference with US firms at 86 percent).
These survey results show that both EU and non-EU countries are quickly improving their compliance position, though, for many companies, significant changes in the processes and technologies used to manage customer data still lie ahead.
For companies that are GDPR-compliant, benefits have already been favorable from these proactive privacy investments. The Cisco survey found that compared to companies who are expecting to take more than a year to meet GDPR requirements, GDPR-ready companies were less likely to have experienced a breach (74% vs. 89%); and when a breach had occurred, fewer records were impacted (79,000 vs. 212,000), and there was a shorter window of system downtime (6.4 hours vs. 9.4 hours). In addition, avoiding hefty fines was not the only financial benefit - only 37 percent of GDPR-ready companies had a loss of over $500,000 last year from data breaches compared to 64 percent of the least GDPR-ready companies.
Thus, GDPR is enhancing data security and boosting consumer confidence, while reducing costs associated with breaches.
Under the GDPR, EU member states’ supervisory authorities, and data protection authorities (DPAs) have powers to ensure adherence to GDPR principles and the rights of data subjects. Supervisory authorities are allowed to take corrective measures to address infringements. One of the most important enforcement tools are GDPR fine violations: up to 4 percent of global revenue or €20 million (approximately US$23 million), whichever is higher. As DPAs continue to grow and develop, it is expected that the enforcement of GDPR will pick up in both speed and costs.
GDPR case examples include:
These case examples and fines illustrate the measured way data protection agencies are carrying enforcement requirements to organizations of all sizes, industries, and geographic location. These early case examples are a call to action for every organization to be diligent in the protection of data.
GDPR has motivated governments outside the EU to adopt their own data protection laws to keep in line with requirements:
2018 laid the groundwork for GDPR and 2019-20 will ensure enforcement. Moving forward, data regulations and laws will continue to have a global impact on every organization. Each regulation is unique, but they have a common call to action that organizations must address:
As we know, GDPR is just the start. Several countries have passed recent regulations and expect many more to follow within the next few years. Take time to understand the needs of your compliance journey and work towards adherence to ensure future success. Partnering with advisory experts will help make sense of the complexity, bring alignment to teams and build enterprise-wide solutions that position your organization for future success.