GDPR is a ‘threenager’ this year, and despite battling through the terrible twos many organizations are still struggling to protect their data.
GDPR is a ‘threenager’ this year, and despite battling through the terrible twos many organizations are still struggling to protect their data. Last year alone, the UK had the second-highest total value of GDPR fines across the EU, with companies paying £39.7m in total. And, at the start of the year, figures indicated that GDPR fines had reached a staggering £245m. The risk of fines are, however, not confined to GDPR. Currently, there are 128 countries with data protection and privacy legislation — including CCPA, PSD2, GLBA and a whole host of other acronyms. At the same time, the business landscape has changed considerably in the last three years – cue obligatory mention of Brexit and COVID-19. To complicate the data protection challenge, the legislation itself could not have anticipated the fast-track adoption of technologies or the accelerated shift to cloud computing caused by the pandemic. A risk compounded by an unprecedented uptick of remote working and employees using home devices, and networks, that are almost certainly less secure than those found in the corporate environment. These are not new concerns when it comes to data management and protection but the issue is that few businesses were prepared for how quickly things escalated. After all, many were focused on digital transformation to simply keep their business going so security in the design of new systems and processes was often neglected, albeit not through choice. The good news is valuable lessons have been learnt, particularly when it comes to protecting and managing data to ensure compliance. And through talking with many of our own customers, we can share a few. There is a shift from reactive to proactive — as it relates to data security and compliance. Many companies are starting to take a proactive approach to data security and are recognizing that ensuring regulation is met means laying a solid foundation by adopting the right IT infrastructure. They have started identifying how their data is sensitive and are assigning the right level of security to varying degrees. Be it personal data, such as biometrics, through to publicly available information, like your address or job title. Once classified, businesses can apply the appropriate data protection rules, for example, restricting access based on clearance requirements and the level of material sensitivity. For some businesses, this will mean going through a reactive identification process, but a vital one nonetheless, as proactive data management requires getting your house in order first. The next step is closing the gaps in identifying, tracking and classifying all an enterprise’s data in real-time.
