GDPR and data security

How has the General Data Protection Regulation (GDPR) affected your firm during the past two years? It has been nearly that long since GDPR went into effect across Europe, applicable for any organizations handling the personal information of European citizens. Since that time, it appears to be performing well up to expectations.  Firms of all kinds find themselves in a new ecosystem in which the old way of doing business (as it pertains to consumer and user data) has become insufficient.

In GDPR’s first eight months alone, there were a reported 160,000 breach notifications across Europe.[1]  The Netherlands and Germany were the top two nations on this list, though France has imposed the greatest fines amount at a total of €51.1 million.  There have also been over 500 cases of cross-border data protection rights since the inception[2]; these and other cases will be examined by the European Commission this coming May.  And though there may yet be some businesses weighing the benefits of adhering to the new standards versus taking their business out of the region, for the most part there aren’t many holdouts.  On a national scale, only Greece, Portugal and Slovenia have not changed their data privacy regulation to meet GDPR requirements.

GDPR fines

According to research from Forrester, 190 fines and other penalties have been enforced as of February 2020.[3]  The largest fine to date has been €50 million, which the French data protection agency CNIL (Commission nationale de l'informatique) brought down on Google due to poor transparency and invalid consent obtained.  All it took for a German hospital to receive a €150k fine was an issue with the data of a single patient.  Indeed, the greatest number of fines has come down to lackluster security standards within an organization: how the data is handled, such as collecting in excess of need.  However, when a data breach is the culprit, the fines tend to be among the highest costs.  Misuse or imprudent handling of personal data have likewise resulted in higher penalties.  No wonder the regulations are generally touted as a success.

GDPR and data security

But GDPR is only going to be a harbinger in this realm, a pioneer in the booming expansion of consumer control over their own personally identifiable information (PII).

What companies can access, use, and store is rapidly changing.  Data privacy laws have been passed around the world in GDPR’s wake, taking inspiration.  Even pre existing standards, like Canada’s PIPEDA (Personal Information Protection and Electronic Documents Act) from 2000, will need to consider how best to update for the modern environment.

Indeed in every industry and country, those who deal with sensitive data like this will need to recalibrate, if they haven’t already, how they approach data governance and all its associated risks.  If they don’t, they’ll likely be unprepared when their own government passes its own data protection regulations. 

This seems increasingly probable to occur.  Already the California Consumer Privacy Act (CCPA), GDPR’s younger American cousin, has taken effect as of January, the first comprehensive data privacy law of this kind in the US.  California’s Attorney General will have the authority come July to enforce the new rules and levy penalties for those entities that mishandle the personal data of Californians.  Although the regulation may not go as far as GDPR, their spirit and goals are the same.  California residents will gain greater control over their PII and how it is handled.

Is GDPR in the US yet?

There remains, meanwhile, no national standard in the US.  Until this changes, we can expect to see other states pass their own laws in emulation of these recent regulatory changes.   Last year, Nevada amended its existing data privacy regulations to give consumers an opt-out, like CCPA, of the sale of their personal information.  This past July, New York passed the SHIELD Act (Stop Hacks and Improve Electronic Data Security Act), effective as of this March, which also takes aim at curbing data breaches.  At the time, Dov Goldman, Director of Risk and Compliance at Panorays, told ISBuzz News, “NY regulates thousands of financial service firms that are headquartered or just have a presence in the state….In this regard, SHIELD may be to the US what GDPR has been for Europe.” 

In hindsight, the comparison may be more apt for CCPA, but the message is the same. The status quo of data governance is going extinct, or evolving to meet the new pressures of modern business and technology.