I’ve heard data breaches referred to as “make or break moments” in the career of a privacy professional. To be sure, no one is a huge fan of a possible data breach coming across their desk, signalling the start of an investigation and risk assessment process in which time is of the essence. It could be an event that brings attention from regulators, requires notifications to affected individuals, and could even invite unwanted media attention.
On the other side of the coin, if your organization’s privacy program is best in class, it could be a way to demonstrate the efficacy of your privacy program, the risk mitigation efforts you have in place, and your commitment to being good stewards of data. With growing public awareness of privacy concerns and new data breaches in the news every day, being an organization that can be trusted with private data is not optional - it’s required for continued organizational success.
Speaking of make or break moments in privacy, this weekend marks the one year anniversary of GDPR’s effective date. It’s interesting to note the repercussions and influence of the attention-grabbing regulation.
- Fines and enforcements - stay tuned. The DLA Piper report from February of this year predicted more fines (and large ones at that) as regulators move forward with their backlog of breach notifications. And at IAPP Global Privacy Summit earlier this month, GDPR regulators from Ireland, the UK and Austria hinted that more enforcement actions should be expected in the months to come.
- Over-reporting is not a strategy. In the months following the GDPR’s effective date, GDPR regulators were reporting increasing volumes of breaches being report - and according to the ICO, one in three of those reported events were not reportable under the breach notification threshold of the GDPR. Reporting everything isn’t “playing it safe” when it comes to avoiding regulatory enforcements under the GDPR - in fact, it can be an indication of a greater problem within your privacy team, and invite increased scrutiny from regulators.
- Organizations are having to reconsider the applications of data - and the data in their technology applications. In the months leading up to GDPR effective date, organizations were performing a flurry of Data Protection Impact Assessments (and hopefully continue to do these assessments). This practice reinforced organizational processes to identify and minimize risk in the processing of data, and helped organizations increase internal awareness of privacy protection issues all around. This practice also elevated the importance of Privacy by Design fundamentals. In the developer world there remain far-reaching impacts of this.The French data protection authority CNIL issued a “Developer Kit” with best practices for data protection. And the EU has recently published a set of guidelines on the ethical applications of artificial intelligence.
How has your organization’s approach to privacy and data security changed in the last year?
If you’re in the Des Moines area, I invite you to join fellow privacy professionals as we network and continue this conversation at the first ever IAPP KnowledgeNet event in the area on Thursday, June 6th from 5 - 7 PM Central Time. More details and option to RSVP here.
If you’d like to share what privacy and data breach news is currently on your radar, we would love to hear from you at firstname.lastname@example.org.