On May 25, 2018, GDPR came into effect. In that time, companies across the EU and the UK received nearly 500 million Euros in fines. The cybersecurity world always welcomes stricter measures on organizations that fail to secure their citizens' and customers' data.
We are more than two years in. Has this law worked as intended?
GDPR Has Acted As a Catalyst for Global Privacy Regulation.
GDPR has inspired a wave of regulations around the world, such as the Privacy Principles in Australia, and the Privacy Data Protection Act in Singapore.
Even in the US, the state California drafted the California Consumer Privacy Act, which went into force July 1, 2020. This act brings controls similar to GDPR to American businesses.
GDPR has inspired a wave of regulations worldwide, such as the Privacy Principles in Australia, and the Privacy Data Protection Act in Singapore.
Even in the US, California drafted the California Consumer Privacy Act, which went into force on July 1, 2020. This act brings controls similar to GDPR to American businesses.
However, some countries like Greece, Portugal, and Slovenia, have yet to bring their national laws into compliance with GDPR. Because of this lag, the GDPR has not been enforced in all of the EU. However, this is to end in 2020 as these countries implement national legislation to incentivize businesses within their borders to ensure they are compliant with the GDPR.
How Many Incidents Have Resulted In a Fine?
The International Association of Privacy Professionals (or the IAPP) reports that more than 64,000 GDPR-related notifications were made to privacy regulators, with only 240 of them resulting in fines.
The fines are less frequent than we may have first thought, but the frequency of breaches is now on the rise.
Many GDPR-related Incidents Were Easily Preventable.
Verizon's 2020 DBIR (Data Breach Investigations Report) highlighted a 5.4% increase of misconfiguration playing a significant role in data loss.
At any given time, there are billions of exposed documents exposed on the web, often accidentally through a cloud service's misconfigurations. Such an incident can cause regulators to hit your business with a steep fine. However, companies can quickly fix almost all of these mistakes.
How Will the Pandemic Affect GDPR Moving Forward?
We should certainly factor in the ongoing pandemic. The UK's ICO (Information Commissioner's Office) has already said it will suspend data auditing and instead work on the most severe challenges to the public. Unfortunately, breaches will continue, now more than ever. We will see how they will handle other companies suffering data loss.
With the pandemic placing so much stress on the economy, regulators may be hesitant to heap even further pressure on an already struggling private sector. For the time being, we may see more severe cases being handled with more flexibility as far as fine payment is concerned.
Prevention is the Best Defense from Cybercriminals and the GDPR.
The best thing that all companies can do to stay out of the regulators' line of fire is to adopt the best security practices from the beginning. Businesses that proactively manage their data's exposure will keep their data safe from criminals, and their bottom line safe from GDPR.