Why organisations can’t afford to forget about data protection and GDPR
You probably can’t believe we’re saying it because it feels like only yesterday that we had GDPR fatigue – constant reminders from every publication, a little fearmongering here and there, and generally an overload of information.
It has been almost a year since the UK passed the Data Protection Act (DPA) 2018 making GDPR law and only 59% of companies feel they are meeting all or most of the DPA’s requirements (Cisco’s Data Privacy Benchmark Study).
However, we’re already starting to see the legislation in action – you likely won’t have missed the French data authority fining Google a whopping €50 million after complaints about ‘forced consent’. And Google isn’t the only organisation to be fined – there have been 90 GDPR-related fines across Europe in the last few months, including a hospital in Portugal that was fined €400,000.
The two key issues within corporate organisations
While many organisations are benefitting from enhanced Data Protection according to Cisco’s Data Privacy Benchmark Study, there are still two key issues that we are seeing at this point:
Data Protection is no longer a priority
Many organisations put in a lot of work in the lead up to the enforcement and then promptly moved Data Protection to the bottom of the priority pile once the date of enforcement passed. When it comes to information security, ongoing compliance is just as significant as the initial work you put in. Not placing an importance on ensuring data protection processes and policies are followed means that over time, they are diluted and forgotten, ultimately placing the organisation in a non-compliant position. In this situation, should there be a breach and your organisation is not compliant, fines are likely to be significantly higher, which can impact both bottom line and reputation.
Data Protection was never a priority in the first place
While aiming for the bare minimum might be the easiest option—particularly if you’re not sure how the Data Protection Act (2018) applies to your business or you don’t know where to start—it only takes a breach or a complaint for things to get very expensive. In Cisco’s Data Privacy Benchmark Study, 29% of respondents said they were not yet compliant but hoped to be so within a year and 9% said they were not yet compliant and may not be for more than a year.
The next steps for remaining compliant
Because our Data Protection team sit within our Information Security Management Practice at PGI Cyber, they look at the Data Protection from a broader viewpoint – they recognise the practical risks and threats outside the scope of companies that only ‘do’ GDPR.
They also understand how data protection, information security and business risk management work together to help you put in place a practical data protection requirements implementation. From recent projects, they have found three key areas organisations need to review to ensure ongoing compliance:
What is your current level of compliance?
A gap analysis will help you understand where you are (and aren’t) complying with the DPA. This is best done by a third-party as they will have both the experience and the fresh eyes required to see weak spots. A gap analysis usually only requires a short consultancy piece, with a Data Protection expert providing a detailed report outlining a road map to compliance.
How will you implement data protection?
After a gap analysis, the implementation of the road map—including the core elements of the Data Protection Act, such as subject access requests, data privacy impact assessments or a PII register—can be technical and resource heavy. Again, an external supplier can provide the short to medium term resource and expertise required to implement the key elements of the DPA.
Is someone overseeing your data protection?
In some cases (such as, processing special categories of data), an organisation must appoint a permanent Data Protection Officer (DPO). However, many businesses won’t have someone with the right experience or the budget for a fulltime equivalent position. It is possible to engage a DPO as a managed service on a part time basis who will be responsible for an organisation’s bespoke data protection requirements. A range of options are available for this type of service upon consultation and request.
PGI’s Data Protection team offer all these services as well as bespoke consultancy to help your organisation move towards and maintain compliance. Contact us to talk about how we can help: firstname.lastname@example.org or via phone +44 (0) 845 600 4403