For the past year, the privacy and security world has kept a laser-like focus on the European Union’s General Data Protection Regulation (GDPR). And what a year it’s been. More than 59,000 personal data breaches were reported across Europe from the enforcement date of GDPR on May 25, 2018, to International Data Protection Day on January 28, 2019.
Even though regulators have been inundated with thousands of breach notification reports, only 91 fines were imposed under GDPR in that same time period. Of particular note: France fined Google nearly $57 million for the first major violation of GDPR when the company failed to properly disclose to users how their data is collected to present personalized ads. But as Helen Dixon mentioned in a 2019 IAPP Global Privacy Summit general session, it takes at least six months to conclude a large-scale GDPR compliance investigation and decision - in other words, more consequences (read: fines) are coming down the pike.
GDPR goes global
GDPR compliance was not a completed task after May 25, 2018—rather, it is an ongoing responsibility. Leaders are moving beyond local compliance to thinking about global privacy accountability and the need for a “global operational privacy framework.” Indeed, GDPR has set a global standard for privacy regulations and is now viewed as a template by countries seeking to craft new privacy laws. PIPEDA has been called “Canada’s own GDPR.” Australia, Brazil, and Japan also have similar approaches to GDPR.
In the United States, the California Consumer Privacy Act (CCPA) has even broader definitions of personal data than GDPR and has inspired the introduction of similar legislation in 11 other states. This similarity is good news for organizations who have invested in GDPR compliance. According to TrustArc research, about 21% of organizations that worked on GDPR believe that they are now also ready for CCPA as opposed to a much smaller percentage of organizations that didn't work on GDPR.
I have a privacy budget? Thanks, GDPR!
As we all know, privacy departments have historically had limited budgets of their own. GDPR has changed much of that, giving privacy teams access to the resources needed to meet their organization's international privacy obligations.
Technology investments, in particular, help organizations manage the increasing complexity of their privacy programs. I recently had the pleasure of participating in a webinar with Margaret Alston, Consulting Program Director at TrustArc, and during the program Margaret noted that “all parts of the organization handle data, so all parts of the organization have to be involved in the solution for privacy. The research that we've done bears out the proposition that privacy has to be managed with some kind of organization, and technology can help organizations manage that complexity. In fact, an overwhelming majority of organizations report an increasing need for technology and tools.”
View a recording of the recent webinar featuring Doug Kruger and Margaret Alston in conversations surrounding GDPR benchmarking data, strategies for streamlining compliance with global privacy concerns, and tips for implementing a comprehensive and best-in-class program.
Non-malicious incidents and the perils of over-reporting
According to the Data Protection Commission Annual Report, from May 25 to December 31, 2018, 85% of breach notifications involved unauthorized disclosures. That means the vast majority of incidents reported may not be malicious or intentional. They don’t involve bad threat actors trying to invade the organization—human error is the culprit. Focusing only on malicious incidents or attacks means missing out on a wide category of non-malicious incidents that pose the same level of regulatory risk and complexity as their more evil-minded counterparts. When there’s a disclosure, malicious or not, there’s a presumption that a breach has occurred. It's up to an organization to perform a multi-factor risk of harm assessment to make that determination.
When organizations do an effective multi-factor risk assessment in which it can be proven that sufficient risk mitigation measures were in place, RADAR incident and breach metadata has shown that almost 82% of GDPR incidents are not notifiable--they do not reach the threshold where notification to supervisory authorities or affected individuals is required. Without performing the assessment, organizations are, by definition, over-reporting, risking their brand and reputation. Over-reporting also subjects organizations to greater regulatory oversight, because it’s assumed that they’re lacking a consistent and effective process for performing an incident risk assessment.
Compliance starts with privacy automation
GDPR’s 72-hour notification deadline is tight. It’s also virtually impossible to meet without using privacy technology to automate the incident response process. When looking at the average incident lifecycle, the time from incident occurrence to discovery was 66 days, and from discovery to notification was 56 days—according to the 2019 BakerHostetler Data Security Incident Response Report. RADAR metadata reveals that organizations using automation to make the breach/no-breach determination only experience about 21 days from occurrence to discovery, and 27 days from discovery to notification.
So, yes, what a year! As we watch privacy laws evolve across the globe, it’s obvious that GDPR’s influence is not confined to the European Union. Wherever you turn, notification timelines are shorter and the definition of personal information are both broader and more nuanced. To manage their privacy risk in a changing world, forward-looking organizations realize the importance of best-in-class technology to automate their incident response process and get to a decision faster.
Get more in-depth insights on the GDPR one year later by viewing the on-demand webinar: GDPR: Where Are We Now?