Research conducted by BSI’s Cybersecurity and Information Resilience centre of excellence has revealed that monitoring of third-party compliance is the most challenging aspect of the GDPR one year on. Other challenges include budget allowances for implementing compliance that demonstrates and prioritizes value, monitoring of data breaches, and handling of Data Subject Access Requests (DSAR’s).
Commenting on the research Conor Hogan, Senior Information Governance Manager at BSI said: “We are one year on from the implementation of the GDPR and many organizations have a good understanding of the compliance requirements. What’s interesting from our research is that there are on-going challenges, specifically with third-party compliance. We see companies managing these requirements with excel spreadsheets and this needs to change. Monitoring of third parties is a critical compliance process and there are software solutions available that assist with regular third-party compliance monitoring and risk management processes.”
“Allocating budget can be more challenging so for this it’s important to record the metrics of any incidents when they occur so that it can be measured against the operational impact for the organization to demonstrate the value of the GDPR preparedness required. An incident can include a data breach and DSAR – these can have a significant impact on resources for an organization.”
Regulatory investigation
According to the International Association of Privacy Professionals (IAPP) since the implementation of the GDPR there has been 280,000 plus cases received by Data Protection Authorities. To date there have been 89,000 data breach notifications, 144,000 individual complaints, and over 440,000 cross-border cases and GDPR enforcement actions have resulted in fines in excess of €56 million.
While many organizations claim to be satisfied with their GDPR compliance efforts to date, the BSI research highlighted that 40 per cent of the respondents weren’t prepared for a regulatory investigation. Alarming an additional 34 per cent stating they didn’t know if their organization was ready while only 26 per cent revealed their business preparedness for an investigation.
“The IAPP data shows that GDPR enforcement is being taken seriously and it affects companies of all sizes. In France the largest fine at €50 million was issued for invalid consent and breach of transparency obligations, handled by the French data protection authority (CNIL). In Italy the Garante fined a data processor €50,000 for lack of implementation of privacy security measures, and in Ireland the Data Protection Commissioner (DPC) is currently working on at least 54 investigations, many with large multinational technology firms.” said Conor.
Data protection breaches
Data breaches are immediate, and incidents are wide ranging from sending an email to the wrong recipient, physical theft of data or an employee falling for a phishing email. In the last 12 months one in five of the respondents to the BSI research highlighted that they had experienced a data protection breach. Breaches are a key element of the GDPR regulation and specifically the requirement to alert regulators.
“It’s likely that an organization will experience a data breach during its lifetime, but the level of complexity and challenges faced will differ for each. Companies need to be prepared by focusing on security, data management, employee awareness and the compliance requirements of regulatory bodies. They need to know what data they have; where it is; the legal basis for it; who its being disclosed to; how long they are going to keep it for; and the specific purpose for processing it.”
“The first year of the GDPR has been a bedding in period and going forward we are certain to see mounting enforcement from the regulators. Compliance should be a pre-requisite for all organizations, regardless of their size, and preparedness is the first step to achieving a state of enhanced information resilience. “concludes Conor Hogan.
BSI provides a range of solutions to help organizations address their information challenges covering cybersecurity, information management and privacy, security awareness, compliance and testing. For more information visit
More about Irish Tech News
Irish Tech News are Ireland’s No. 1 Online Tech Publication and often Ireland’s No.1 Tech Podcast too.
You can find hundreds of fantastic previous episodes and subscribe using whatever platform you like via our Anchor.fm page here: https://anchor.fm/irish-tech-news
If you’d like to be featured in an upcoming Podcast email us at [email protected] now to discuss.
Irish Tech News have a range of services available to help promote your business. Why not drop us a line at [email protected] now to find out more about how we can help you reach our audience.
You can also find and follow us on Twitter, LinkedIn, Facebook, Instagram, TikTok and Snapchat.