Businesses need to take a risk-based approach, focusing compliance efforts on their biggest vulnerabilities
With the GDPR deadline passing the 100 day mark recently, the May 25th deadline looms closer. Many businesses have begun preparing for the new legislation, but its full implementation is likely to reveal some unforeseen challenges and it is anticipated that large fine headlines will be made before the year is out.
Data protection authorities (DPAs) are focused on encouraging compliance with the GDPR, but are expected to impose significant fines and other penalties where they feel that businesses are disregarding their GDPR compliance obligations. 2018 could well be the year in which DPAs fully bare their teeth.
Over the last 20 years, many businesses formed the view that EU data protection law was unlikely to be a major compliance risk, because the average fines are comparatively low, and the likelihood of incurring such a fine is also low in most cases. Conversely, the cost of compliance is relatively high, and often requires wholesale changes to business practices. Many businesses therefore decided that these costs were simply not worth it.
However, with GDPR introducing maximum fines of the greater of €20 million or 4% of worldwide turnover, EU DPAs will be looking to demonstrate that they have the power to shock businesses into action, where needed. We are likely to see at least one fine above the €10 million mark by the end of 2018.
Businesses will need to be agile and ready to quickly close gaps in their GDPR compliance strategy. Total compliance with GDPR is not always realistic. This is because the legislation is so wide-ranging in its application, and even businesses that have the right systems and procedures cannot always ensure that employees will make all the right choices.
Businesses also do not have limitless compliance budgets, and therefore need to take a risk-based approach, focusing efforts on their biggest vulnerabilities.
Data breaches and the threat from "good" employees
The GDPR lays out new rules around data breaches, with much tighter timeframes for reporting when personal data are lost or hacked. Businesses need to be ready to report data each breach to the relevant DPA within 72 hours of discovering that breach. This is an extremely tight timeframe, and businesses should ensure that they have clear internal procedures in place to ensure that it is met.
Many businesses under-estimate the risk posed by their hard-working and well-meaning employees. Much has been said about the threats posed by nation states and rogue hackers, but one of the biggest data security risks comes from decent people who are simply trying to do their jobs, and are struggling to do so in the face of well-intentioned but over-zealous IT security policies.
Such policies leave employees with few options when it comes to moving data around, which is increasingly a fundamental part of work. Diligent employees often know the policies, but are forced to find a way around the system in order to do their jobs.
For example, there have been cases of employees who are prevented from using USB keys to move data around. As a result they have begun uploading data to low-security cloud accounts, significantly increasing the risk of a data breach, and achieving the exact opposite of what the aims of the IT security policy.
Policies need to be GDPR-compliant, but this is not simply a tick-box exercise. Businesses must provide their employees with practical ways to complete necessary tasks – otherwise employees will find other ways of doing so, often creating unforeseen vulnerabilities.
A rise in privacy litigation
Businesses may see the beginnings of a new trend in privacy litigation in 2018. Individuals will have significantly greater rights over their data under the GDPR and increased awareness could see consumers and activist shareholders using data protection law as a weapon, and as a way of reclaiming money.
Businesses need to identify where they might be at risk and be ready to defend their position. Financial provision for possible litigation (including insurance) may become an increasingly necessary part of life under the GDPR.
When it comes to privacy and data protection, 2018 has the potential to be a turbulent year. Keeping an eye on developments, and watching where regulators are focusing, will be key to developing a successful compliance strategy.