May 25th is the second anniversary of the General Data Protection Regulation (GDPR) and data around compliance with the regulation shows a significant disconnect between perception and reality.
Only 28% of firms comply with GDPR; however, before GDPR kicked off, 78% of companies felt they would be ready to fulfill data requirements. While their confidence was high, when push comes to shove, complying with GDPR and GDPR-like laws – like CCPA and PDPA – are not as easy as initially thought.
Data privacy efforts
While crucial, facing this growing set of regulations is a massive, expensive undertaking. If a company is found out of compliance with GDPR, it’s looking at upwards of 4% of annual global turnover. To put that percentage in perspective, of the 28 major fines handed down since the GDPR took effect in May 2018, that equates to $464 million dollars spent on fines – a hefty sum for sure.
Additionally, there is also a cost to comply – something nearly every company faces today if they conduct business on a global scale. For CCPA alone, the initial estimates for getting California businesses into compliance is estimated at around $55 billion dollars, according to the State of California DoJ. That’s just to comply with one regulation.
Here’s the reality: compliance is incredibly expensive, but not quite as expensive as being caught being noncompliant. This double-edged sword is unfortunate, but it is the world we live in. So, how should companies navigate in today’s world to ensure the privacy rights of their customers and teams are protected without missing the mark on any one of these regulatory requirements?
Baby steps to compliance
A number of companies are approaching these various privacy regulations one-by-one. However, taking a separate approach for each one of these regulations is not only extremely laborious and taxing on a business, it’s unnecessary.
Try taking a step back and identifying the common denominator across all of the regulations. You’ll find that in the simplest form, it boils down to knowing what data you actually have and putting the right controls in place to ensure you can properly safeguard it. Implementing this common denominator approach can free up a lot of time, energy and resources dedicated to data privacy efforts across the board.
Consider walking through these steps when getting started: First, identify the sensitive data being housed within systems, databases and file stores (i.e. Box, Sharepoint, etc.). Next, identify who has access to what so that you can ensure that only the right people who ‘should’ have access do. This is crucial to protecting customer information. Lastly, implement controls to keep employee access updated. Using policies to keep access consistent is important, but it’s crucial that they are updated and stay current with any organizational changes.
Staying ahead of the game
The only way to stay ahead of the numerous privacy regulations is to take a general approach to privacy. We’ve already seen extensions on existing regulations, like The California Privacy Rights and Enforcement Act of 2020. ‘CCPA 2.0’ as some people call it, would be an amendment to the CCPA. So, if this legislation takes effect, it would create a whole new set of privacy rights that align well with GDPR, putting greater safeguards around protecting sensitive personal information. It’s my opinion that since the world has begun recognizing privacy rights are more invaluable than ever, that we’ll continue to see amendments piggybacking on existing regulations across the globe.
While many of us have essentially thrown in the towel, knowing that our own personal data is already out there on the dark web, it doesn’t mean that we can all sit back and let this continue to happen. Considering, this would be to the detriment of our customers’ privacy, cost-prohibitive and ineffective.
So, what are the key takeaways? Make your data privacy efforts just as central as the rest of your security strategy. Ensure it is holistic and takes into account all facts and overlaps in the various regulations we’re all required to comply with today. Only then do you stand a chance at protecting your customers and your employees’ data and dodge becoming another news headline and a tally on the GDPR fine count.