Next month will mark the three-year anniversary of the adoption and enforcement of the EU’s General Data Protection Regulation (GDPR).
GDPR had wide-reaching implications around the world – if any organisation had European data centres or customers, they were required to comply. As a result, the conversation and expectations surrounding data privacy and cybersecurity shifted drastically. Other countries also followed suit; for example, the state of California implemented their own version of GDPR, the California Consumer Privacy Act (CCPA), in January 2020. It is already due to be updated in 2023.
Over the past few years, independent regulators such as the Information Commissioner’s Office (ICO) in the UK have handed down some striking fines. Marriot and British Airways were both recipients of nearly £20 million in fines due to data breaches. It is clear that the consequences for ignoring GDPR are severe – and, three years on, failure to comply can no longer reasonably be due to lack of preparation.
So, what does that mean for you and your organisation today? Here are a few things to consider as we head into May:
- Your current data and processes: How GDPR compliant are your current processes and data storage? Remember, GDPR stipulates the right for any client or customer to request that you fully delete any of their data (with some exceptions for legal requirements in some financial and other cases). How feasible is this for your organisation? How secure is your data storage – are you using identity access management systems, for example?
- Your current suppliers and third parties: Do your suppliers or third-parties hold any of your client or customer data? What are their connections into your organisations? What is the compliance and cybersecurity status of your third parties? Are you using a tool to manage your suppliers’ digital footprints, or are you tracking this manually?
- Your future data and processes: Starting from now, do you have a legitimate business reason for all of the data you will collect in the future? What does the data storage process look like now? Has it changed due to Covid-19 and remote working? Are you working from a place of security- and privacy-by-design?
GDPR may seem like just another piece of bureaucracy, but adhering to its principles has kept organisations accountable for their cybersecurity policies, especially those around personal or sensitive information. As digital transformation continues, GDPR will be a necessary tool to ensure that organisations – including yours – are better prepared against the cyber threats of the future.