Today, Wednesday, the 25th of May 2022, marks the completion of 4 years since the General Data Protection Regulations (GDPR) became effective in the European Union.
EU data protection laws have long been regarded as platinum standards/guidelines worldwide. When European Union announced General Data Protection Regulation it was well-received by the citizens and businesses across the globe, even though there was some hesitance from some industry sectors.
As you all know, now GDPR is recognized as law across the European Union. It is now recognized as the strongest data compliance regulation in the world. However, some challenges still exist. Many organizations see GDPR as a technical standard rather than a statutory requirement. They cannot see the law from the perspective of the data subject/citizen. This approach is causing trouble for many organizations, and some other known challenges are:
- Identification of appropriate and suitable controls for protecting personal information
- Challenges in getting appropriate consent. This is still grey a area for many.
- Unable to see the regulations from the perspective of ‘Fundamental rights’
- Inability to adopt a best practice/standard for a privacy management system
- Timely identification of data breaches
- Lack of understanding of the legal basis for data processing
ISO has recently published a standard for the privacy management system (ISO/IEC 27701). This standard is applicable for Data Processors as well as for Data controllers. The standard is expected to help organisations plan, design, implement and monitor the controls effectively. However, the adoption of the same among the businesses is not as expected.
A quick analysis of data breaches or violations during the last four years points to some specific areas which need attention. Some of those critical issues which lead to financial penalties:
- Non-compliance with data processing principles
- Insufficient legal basis for data processing
- Inadequate technical and organizational measures to ensure security
- Insufficient co-operation with respective supervisory authorities
Luxembourg imposed a massive fine of 746 Million Euros on a technological company for its non-compliance with general data processing principles. At the same time, Ireland imposed a penalty of 225 Million Euros on another social networking platform for their insufficient fulfillment of information obligations. The list is endless, and no industry is spared from this. It includes Technological companies, social networking /messaging platforms, e-commerce firms, telecom operators, Airlines, Hospitality organizations, healthcare institutions and government departments.
It is important for every organization to understand GDPR in its right spirit and respect the rights of citizens. Focus on the grey areas/challenges and identify appropriate technical controls to address those areas. It is common that we may have to spend more on additional control on some grey areas, but that will save millions of your revenue from paying penalties. A realistic privacy process risk assessment will help you to identify such areas.
The role of an independent assurer for periodic review of GDPR compliance is becoming paramount, and it will help to reduce any retribution. In addition, independent assurers are also helping organisations to raise awareness about effective GDPR implementation.
Reach us to know how DNV can help you.