Data Privacy Grows Teeth: GDPR Fines Leap 40% in 2020
Despite the unique challenges of 2020, the tempo of data protection legislation and regulation worldwide has continued to grow apace.
The California Consumer Privacy Act (CCPA) is now in its second year, with companies getting to grips with it both in the US and globally, given the reach of many businesses based in the State. New York State is planning the New York Privacy Act (NYPA), and the US Federal Government is also considering its options in this area.
In Europe, the more established General Data Protection Regulation (GDPR) – in place since 2018 –continues to challenge many organizations. Data protection regulators’ expectations across the European Union (EU) are rising, as businesses continue to master the requirements.
The recent survey by DLA Piper about GDPR fines and data breaches suggests it continues to challenge many of them, even after nearly three years, with penalties levied under GDPR rising by over 40% in 2020 to $193M.
From conversations with our customers, we know the requirements of GDPR are broadly well understood by companies, and the basics of managing the fundamentals of GDPR are in place. As borne out by these fines, the critical challenge for many businesses is embedding these fundamentals in the operational processes of the business.
What insights can we gather?
The critical issues uncovered in the research included problems associated with overly complicated privacy notices, which impact the transparency provisions. Many organizations continue to fail to secure consent to process personal information. Others fail to secure personal information properly, including monitoring the access to and use of databases storing personal data. Another issue was the failure to minimize the amount of data retained to reduce individuals’ impact if a security breach occurs.
The regulators primarily levied the fines on large corporates, who collect the largest volumes of GDPR-related data daily. They have also made the most significant investments in people, systems, and tools to manage their compliance. It illustrates the challenge of addressing all of the details of GDPR, all of the time, as a business changes and continues to collect evermore more data. It also highlights the operational challenges for those less blessed with time, resources, and budget.
The issues raised in the research are diverse. Still, there are common themes, primarily around ensuring that operational staff, who use GDPR-sensitive data in their regular duties operate in a compliant way. While broadly aware of GDPR, the lack of understanding amongst management and staff of the detail of the regulations, as applied to their operational systems and processes – especially with legacy applications or those outside of the IT function’s control – can expose the best-prepared business to non-compliance, and potentially fines.
How to solve the problems of data privacy compliance
There are several ways to address these issues:
A unified policy management framework can help embed the principles and requirements of GDPR from the ground up in core processes and applications. A centralized policy repository enables a policy and procedure that relies on GDPR data to be reviewed by management and GDPR teams to ensure compliance. As the policy changes, it can be reviewed and approved by both to ensure it remains compliant, or else helps to identify any compliance issues that emerge.
This centralized approach helps prevent multiple – and inconsistent – versions of a policy being used simultaneously – a situation guaranteed to create a breach of GDPR. It also supports testing users about how they apply GDPR, to help monitor overall compliance training and assessment. It also serves as an attestation engine for managers to demonstrate compliance, providing metrics that feed into the corporate GRC framework.
Another area to focus on is those areas where personal information is stored outside the corporate IT environment. End User Computing (EUC) applications – spreadsheets typically – are often used as quick fixes to pressing business problems, and so can contain personal information under GDPR. They are often unrecognized, uncontrolled, and unmonitored by GDPR teams. If they feature this information, under GDPR, they need to be identified, proactively monitored, with staff able to identify changes to data that impact GDPR.
While these issues relate solely to GDPR, it is equally evident that these issues will emerge with similar regulations worldwide, including CCPA and NYPA. Any organization that engages with the US and European Union markets needs to be aware of the issues and how best to address them, regardless of their size and location.
Enterprises should find a partner/provider with the comprehensive tools that make supporting data privacy straightforward and which are quick to implement. Those solutions should encompass GDPR, CCPA, The Privacy Act, the Data Protection Act, and many other regulations.