In May 2018, the General Data Protection Regulation, or as most of us know it as, GDPR, came into effect. Ahead of its implementation, businesses and consumers were somewhat bombarded with warnings about its importance, the severe implications on businesses if they weren’t GDPR compliant, and a promise to consumers that their privacy and information rights would be vastly improved.
Despite this, almost 18 months on, and new research has found that 52% of UK businesses are still not fully compliant with the regulation.
Findings from a survey conducted by Egress reveal that over one-third of decision-makers said GDPR has become less of a priority for their organisation in the last 12 months.
A significant proportion (35%) of GDPR decision-makers said that the majority of compliance activity had taken place in the lead up to the May 2018 deadline and had since dropped down the priority list and remained less important.
Only 6% said that the ICO’s recent high-profile announcements of its intention to fine British Airways and Marriott had subsequently shocked the business back towards greater awareness.
Tony Pepper, CEO of Egress believes that the rush to meet last May’s deadline has resulted in an ‘almost compliant is close enough’ attitude towards GDPR, noting the decrease in focus over the past year.
“The wait of more than a year between implementation and the first action taken by the ICO under GDPR seemed to lead to a perception outside the security industry that the regulation was ‘all bark and no bite’.
“Although the authority’s announcement that it intends to fine British Airways and Marriott such staggering sums sent shockwaves through the security community, it is concerning only 6% of organisations have taken action to avoid the full potential of the legislation. These announcements should definitely have acted as a clearer warning that organisations cannot risk compliance complacency,” says Pepper.
“This is important for businesses in the small and mid- market segments, where our survey found lower compliance levels being reported. Although the ICO’s action to date has focused on two well-known enterprise organisations, GDPR demands compliance from businesses of all sizes and they need to take all necessary steps towards protecting data.”
The Information Commissioner’s Office (ICO) is a non-departmental public body which reports directly to Parliament.
“With the initial hard work of implementing the GDPR behind us, there are ongoing challenges of operationalising and normalising the new regime. This is true for businesses and organisations of all sizes” Elizabeth Denham CBE, ICO
Sponsored by the Department for Digital, Culture, Media and Sports (DCMS), it is the independent regulatory office dealing with a number of regulations, including the General Data Protection Regulation.
In a recent blog post, Elizabeth Denham CBE, UK information commissioner at the ICO, delved deeper into the state of today’s GDPR affairs since its implementation.
“Last May marked a seismic shift in privacy and information rights with the implementation of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018,” she said.
“The change in the regulatory landscape has shown the importance of getting privacy right. People have woken up to the new rights the GDPR delivers, with increased protection for the public and increased obligations for organisations.
“But there is much more still to do to build the public’s trust and confidence. With the initial hard work of preparing for and implementing the GDPR behind us, there are ongoing challenges of operationalising and normalising the new regime. This is true for businesses and organisations of all sizes.
“A key area of work for my office during 2019/20 will be to support all parts of the UK business community, from the smallest SMEs to the biggest boardrooms, to deliver what is needed,” promised Denham.
“Where the law requires it, I want to see Data Protection Officers (DPOs) embedded and supported in their respective organisations by senior management.
“Keeping sensitive data safe is critical to the success of retailers, as a data breach can irreversibly damage consumer trust and a retailer’s reputation” Paul Barnes, Webroot
“The focus for the second year of the GDPR must be beyond baseline compliance. Organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated,” she warned.
Myths and mistakes
While some businesses have managed to get their GDPR situation in order, it seems like a surprisingly high amount have struggled to get it under control. PCR asked Paul Barnes, VP of product strategy and UX at Webroot what some of the biggest mistakes businesses have been making when it comes to GDPR compliance.
“A lot of businesses, particularly SMBs, may have started too late in implementing GDPR changes last year. When GDPR compliance is allocated to a person/department, those individuals are often so engaged in fulfilling their day-to-day obligations that the move to compliance wanes until there is a sudden realisation that GDPR must be upheld or businesses will face severe consequences.
“Many see GDPR as a one-dimensional compliance problem that’s best left to their legal department. This is a serious error, as GDPR impacts every department within a business that processes personal data. If left to one person/ department, businesses could struggle to struggle to stay compliant,” says Barnes.
“An important point to note is that GDPR compliance doesn’t equal a robust cybersecurity strategy, and this is a mistake that many businesses make. An organisation can tick all the boxes to comply with GDPR regulations, but security cannot be guaranteed because of it, and businesses should not see GDPR as an excuse to not invest in a cybersecurity solution.”
We also asked Barnes about some of the myths out there around GDPR that may have caused problems for UK businesses. “I think the most damaging myth is that data breach reporting is all about punitive action toward organisations,” Barnes tells PCR. “GDPR is designed to give organisations a nudge to improve their ability to detect and deter breaches. Punishing organisations is not at the forefront of regulators’ minds, instead, they are looking to encourage businesses to tighten their data handling processes and reduce security vulnerabilities.
“Naturally, there will always be attempts to obtain data through illicit means, and the ICO understands this. Retailers should view GDPR compliance as an opportunity to apply continuous assessments to their security practices as new threats emerge.”
Compliance advice for retailers
Depending on your type of business, your GDPR practises will look different. But focusing specifically on UK retailers, Barnes outlines advice for new businesses in the industry, as well as those needing to take another look at their currently GDPR setup.
“Retail organisations regularly process sensitive customer data, including financial details, names and addresses. Keeping these details safe is critical to the success of retailers, as a data breach can irreversibly damage consumer trust and a retailer’s reputation, which, combined with heavy fines levied under GDPR, have the potential to cripple businesses.
“Ultimately, GDPR is about a business’ understanding of what data they store, where it’s kept and having a legal reason to hold it. Retailers need to make sure all data that they store and transmit is encrypted, where access is only given to those within the organisation that need it to perform their job. Keeping systems and applications up-to- date, and a well-defined password policy, will also help in this ever-evolving battle.”
Barnes says that communication and information flow between the organisation and its employees are vital, so encouraging a certain level of visibility can be effective in lowering the chances of a data breach.
“Retailers, and their employees, need to know what information they store needs protection under GDPR, and from there apply the appropriate security measures,” he explains.
“User education is arguably the most cost-effective approach to improving the security posture of any organisation. It’s vital that personnel understand the technologies they are asked to manage and monitor. The intelligence gathered by security systems needs to be understood, so when an attack occurs, incident response plans are executed effectively and efficiently to contain the breach and all affected parties are informed of the facts as soon as possible. These need to be clearly defined, with everyone in the organisation understanding their role.”
Barnes concludes: “This coming year, data protection should continue to be at the top of the priority list for retailers. Businesses must ensure that their processes stand up to scrutiny and have an open dialogue with their customers to educate them on how data is being used and ultimately protected.
“Compliance is a continuous requirement and although most organisations have made a good start, there is always more to do.”
PCR’s Top Women in Tech 2019: We’ll be highlighting 25 women that have made a positive impact in the industry over the past year, and we need YOU to submit yourself or your colleagues. Email firstname.lastname@example.org now to find out how to submit your entry.
Read the latest edition of PCR’s monthly magazine below: