May will mark a year since the General Data Protection Regulation (GDPR) was enacted. We are now starting to see the first significant fines levied against organisations violating this legislation, which begs the question – where are we now in terms of GDPR compliance? Jim Barkdoll, CEO, TITUS, attempts to answer this very question.
Lack of enforcement and resulting confusion
When GDPR was developed, consumers and many in the security community believed this was a watershed moment for data security and data privacy. But the first truly significant fine levied based on GDPR regulations was against Google and didn’t have a lot to do with data privacy or protection. This action contributed to the confusion that persists around what it means for an organisation to be truly compliant.
At this point, many might question why confusion exists a full year after GDPR was enacted. There are two significant factors driving this – the broad way in which GDPR defines ‘personal data’ and the ‘good enough’ approach organisations take when trying to become compliant.
At its core, GDPR drives organisations to put better protections in place around personal information. But how personal data is defined is complicated. In short, the legislation defines personal data as ‘any information which are related to an identified or identifiable natural person.’ That’s awfully broad, which is by design.
The effect of this broad definition is organisations are confused as to what information must be most critically protected and if/how information has been incorrectly exposed. As a result, many are over reporting data breaches.
In a speech late last year, UK Deputy Information Commissioner James Dipple-Johnstone noted organisations were reporting potential or supposed breaches in an effort to be transparent. The time and effort required to report breaches that may not have even occurred simply to avoid consequences would be better used in applying protection personal data and becoming compliant.
As significant fines are levied, I believe the definition of personal data will become clearer. But that’s the catch and reflects my earlier point – we’re still waiting for regulators to levy a substantial fine for failure to protect personal data and/or the inability to prevent a data breach. Until that happens, confusion will remain rampant and organisations will flounder in their efforts to achieve GDPR compliance.
Changing the ‘doing just enough’ attitude
A byproduct of the confusion around GDPR compliance is the attitude many organisations employ in their compliance initiatives and efforts. I believe the true inspiration behind GDPR was to force organisations to become good data stewards, to reexamine their data management and protection polices and to develop strategies that would give consumers peace-of-mind that their data was protected by these companies.
But that’s not what’s happening. Instead of employing good data stewardship practices, many organisations focus their compliance efforts on doing just enough to avoid fines or other punitive consequences. The definition of ‘just enough’ will continue to be a moving target given the broad definition of personal data contained within the legislation. As a result, organisations with this mindset will find true compliance remains elusive.
As is the case with confusion around personal data, the driving force for better data stewardship – or, complying with the spirit as well as the letter of GDPR legislation – will be significant enforcements and fines. Luckily, as more nations and regions/states enact legislation like GDPR, there will be more opportunities for this type of meaningful enforcement.
The rise of legislation – who’s doing it right?
From California to Brazil to India, everyone is clamouring to enact GDPR-like legislation aimed at protecting consumer data. While I’d love to say this movement is truly altruistic in nature, it’s likely these governments understand the revenue potential they can realise through fining organisations that fail to comply. That said, what these laws mean is eventually organisations who want to do business anywhere will need to consistently demonstrate personal data protection is top-of-mind in their business practices. More importantly, I believe these laws will act as a forcing function to change the mindset of those organisations who only want to do what they must to meet basic compliance requirements.
I saw an example of this attitude shift during a recent trip to India. India is looking to enact data privacy legislation later this year and in speaking with Indian executives and security professionals, compliance is top-of-mind. But their efforts go further than that. Instead of asking about specifics around what actions would constitute failure to comply, I found Indian security leaders were concerned with bettering their overall data protection and privacy practices. They were dedicated to enacting best practices around data protection and privacy now, so that when the regulations are enacted, they can be assured their organisation will already be compliant.
I believe as we see more legislation enacted we will slowly start to see a shift in attitude and Indian organisations are clearly leading the way.
Changing attitudes through best practices
While this shift in attitude slowly comes to fruition, more organisations will undoubtedly ask what they can do to enact data protection and privacy strategies and policies that work for their organisation. In speaking with companies worldwide, a few key practices come to mind:
- Know where personal data resides in your organisation: This sounds self-evident, yet with the massive amounts of structured and unstructured data created daily, many organisations don’t know where personal data resides. This is particularly true when it comes to unstructured data (emails, files, etc.). According to a recent article in the Harvard Business Review, 80% of data analysts’ time is spent simply discovering and preparing data and less than one percent of an organisation’s unstructured data is analysed or used at all. Without identifying what personal data exists and, more importantly, where it exists, compliance efforts will be challenged.
- Obtain executive sponsorship and support: Compliance efforts can be hindered by internal politics. Because of the confusion that exists around compliance, it often becomes difficult for business leaders to agree not only on who drives compliance efforts, but also who is accountable in the event of questions or, unfortunately, punitive consequences or data breaches. Determining executive ownership is a critical element in a successful data protection and compliance programme.
- Ensure data is protected within and without your organisation: I recently had the opportunity to speak with a number of European security professionals around their data protection challenges and they mentioned that driving data protection requirements of third party vendors or partners was a significant challenge. One quick way to start to address this is to add GDPR language to contracts, so it becomes clear who is accountable (your organisation or your partner’s organisation) of data once it leaves your walls.
Clearly, GDPR compliance will continue to be a daily challenge for organisations worldwide. It may well be that we don’t see a broad push for compliance until we see meaningful enactment of this legislation. In the meantime, I believe that adopting a mindset aimed not only on compliance but on good data stewardship is a step in the right direction for organisations looking to have confidence in their handling of personal data.