GDPR 2 Years On: Keeping up with compliance

GDPR guest post by Marc O’Regan, CTO, Dell Technologies Ireland

The General Data Protection Regulation (GDPR) came into play just over two years ago – and today, the compliance challenge remains for many. As the adoption of digital technologies accelerates in light of the pandemic, ensuring citizen data is protected is crucial. But the pressure is more acute as the rate of cyber hacks and attacks continue to rise –and Irish businesses face unique challenges.

Europe leads the way when it comes to enshrining the protection of citizen data and privacy in law. The regulation gives rights to individuals around how their data is collected, stored and erased, and providing in-country regulators with the means to reprimand those companies that fail to comply. If the hefty fines of up to €20 million or 4 per cent of revenue aren’t enough to avert complacency –the reputational damage incurred as a result of failing to comply should be.

Since the introduction of GDPR, regulators have already imposed hundreds of fines. According to GDPR Enforcement Tracker regulators in Spain have imposed the most fines to date – 80 in total amounting to a sum of €2,515,270. Germany isn’t far behind, in third position amongst its EU counterparts, having handed-out 20 fines so far, to a larger sum of €25,137,925. This highlights the varying degrees to which fines are being incurred.

The nation dishing out the heftiest fines so far is the UK, which despite only imposing three fines has racked up a sum of €315,310,200. These fines include two landmark cases involving airline British Airways (£183m) and hotel group Marriott International (£99m). But the UK is not alone. France imposed 5 fines amounting to €51,100,000 and Italy imposed 11 fines amounting to €39,452,000. Ireland has a number of outstanding cases with its first fine of €75,000 issued last month.

Overall, there have been 237 GDPR fines up until May 2020 and the top three offences have been: Insufficient technical and organisational measures to ensure information security; insufficient legal basis for data processing; and non-compliance with general data processing principles.

These figures demonstrate that GDPR is being upheld, which is good. But they could also lull smaller businesses across Ireland into a false sense of security, associating these big fines with big business. Complacency is a dangerous mindset that fails to take into account the cultural as well as regulatory changes that have taken root in the last two years. What these figures don’t take into account is the unquantifiable reputational damage data breaches cause, along-side faulting consumer confidence.

In March 2020, a record 32 GDPR fines were imposed. Today, as the digital transformation of businesses accelerates through a global pandemic, workers across Ireland are more reliant than ever on innovative technologies. It is essential that businesses not only fully understand their responsibility but, continue to evolve their data protection checks and balances to ensure they remain aligned with the general data processing principles.

Dell Technologies’ recently published research, ‘Dell Technologies Global Data Protection Index 2020’, highlighting the stark rise of cyber-attacks and disruptive events which affect 82 per cent of organisations. According to the study, organisations are now managing 13.53 petabytes (PB) of data, nearly a 40 per cent increase since the average 9.70PB in 2018, and an 831 per cent increase since organisations were managing 1.45PB in 2016.

The largest threat to all this data seems to be the growing number of disruptive events, from cyber-attacks to data loss to systems downtime. The majority of organisations (82 per cent in 2019 compared to 76 per cent in 2018) suffered a disruptive event in the last 12 months. And, an additional 68 per cent fears their organisation will experience a disruptive event in the next 12 months.

As emerging technologies continue to advance and shape the digital landscape, organisations are learning how to use these technologies for better business outcomes. However, the research demonstrates that businesses are struggling to find adequate data protection solutions for emerging technologies like 5G and edge infrastructure (67 per cent), and AI and ML platforms (64 per cent).

But for businesses with more limited budgets and smaller IT teams, staying on top of GDPR compliance may be more of a struggle –and potentially overwhelming. The good news is that regulators have improved their approach when it comes to advising small and medium businesses.

While the regulation is not prescriptive the governing principles are clear and those who can demonstrate their intention to comply are viewed in a better light than those who stubbornly ignore it –hence the sizable fines above. For example, ensuring all personal data is encrypted, that only essential data is stored and that citizens have opted into the use of their data –having had the way it will be used explained clearly.

There are steps that can be taken without applying big budgets. But equally, investing in data protection solutions and strategies is an important step towards future-proofing businesses in a digital world. Data protection needs to be central to a company’s business strategy. As the data landscape grows more complex, organisations need nimble, sustainable data protection strategies that can scale in a world increasingly shaped by technology.