GRC & Chill: Kickstarting Your Risk Management with Quantification
In this episode of GRC & Me, Megan Phee talks to Netflix's Senior Information Security Risk Engineer, Tony…
A lot has happened since we last wrote about the EU’s General Data Protection Regulation (GDPR) and trends in data privacy. What was once seen as some of the most stringent data privacy regulations are quickly becoming the standard for data privacy worldwide. As the regulatory landscape continues to evolve, here’s what you need to know and seven steps you can take to prepare for what’s coming.
The High Cost of Non-Compliance for GDPR
Fines for GDPR violations are steep, with two tiers of penalties which max out at the higher of €20M or 4% of global revenue. In addition, data subjects, or the person whose data is processed, can seek compensation for damages.
According to a report by DLA Piper, between January 2020 and January 2021, data breach notifications under GDPR rose 19% while fines increased by 40%. This double-digit growth is expected to continue in the foreseeable future, driven by evolving regulations worldwide and increasing consumer awareness of their rights to data privacy.
Elevated Risk Due to Remote Work
Although the security perimeter of companies expanded with the transition to remote work, the rules around data privacy did not change, making GDPR compliance even more complex. GDPR mandates that personal data is protected both in transit and at rest.
Data is in transit whenever you access it—whether that’s from a central office or a home office—while data at rest is any data being stored in the cloud, on a hard drive, or any other device. You need to ensure your company’s cybersecurity policy and practices are up to date with these developments and employees are trained appropriately to avoid data breaches.
Evolving Data Privacy Regulations Worldwide
The regulatory landscape continues to evolve worldwide. Countries such as India, China, Brazil, Singapore, and Australia, among others, are developing new or revisiting existing privacy legislation. Domestically, states within the US have enacted or are contemplating cybersecurity, data security, and data breach notification laws as California did with the CCPA to protect their citizens.
According to Gartner, by 2023, 65% of the world’s population will be covered by modern data privacy laws. This means companies that process or collect data flows will have to coordinate and comply with multiple regulatory frameworks and more stringent data protection standards, with a high cost for non-compliance.
Prepare for GDPR and Data Privacy Compliance
Adhering to GDPR’s or any country’s data privacy standards is about more than taking the necessary safeguards, your company must be able to demonstrate compliance. Here are some actions you can take to stay in compliance and be better prepared for what’s coming.
- Clearly designate and document responsibilities for data protection and GDPR compliance. In some cases, you may need to appoint a Data Protection Officer.
- Ensure you have a lawful basis to process personal data. The rules by which data can legally be processed under EU GDPR are specified here.
- Maintain detailed documentation of the data that is being collected, how it is being used, where it is stored, who is responsible for it, and who has access to it. This is a critical step in maintaining and demonstrating compliance. Unfortunately, many companies are reliant on legacy systems (read: spreadsheets), making compliance difficult to demonstrate in the event of a breach.
- Deploy technical and organizational cybersecurity measures along with appropriate, ongoing training. Technical measures could include encryption or two-factor authentication while organizational measures may include staff training, establishing and documenting a firmwide data privacy policy, or restricting access to personal data to employees who require it for their work.
- Establish a breach response plan so you can quickly take appropriate action in the event of a breach. Given the tight timeline for reporting—in some cases 72 hours—it’s critical that you have a documented and tested plan so the responsible parties know who they are and what steps to take to maintain compliance.
- Put in place Data Processing Agreement contracts with relevant third parties. If you are using cloud storage, email, or any other third-party platform or service that stores or processes private data, you could be liable in the event of a data breach, even if it was through third-party error, oversight, or non-compliance.
- Expand your risk assessment to include data privacy risk, its potential impact and exposure, and mitigating factors. Regularly reviewing your data privacy exposure and protection practices will help you establish and maintain compliance as your business grows or regulations evolve.
How LogicGate Can Help
Requirements of the GDPR and other data privacy regulations are continuing to evolve and change which presents challenges for organizations, especially since the requirements to become and maintain compliance varies for each business. Learn how LogicGate can help you take the uncertainty out of data privacy compliance by centralizing and automating your data privacy processes as well as enhancing any of your existing processes.
