9 months in: Coping with GDPR compliance

GDPR compliance: What does your company stand to lose if it suffers a data breach?

| The cost of non-compliance.

Businesses should not need reminding that in May last year the General Data Protection Regulation (GDPR) came into effect. Nine months later, we find that some companies have ceased trading and others have had to restrict their operations while they cope with the practical implications of the new legislation.

GDPR compliance applies to ANY company situated in the European Union (EU) and in most cases, also applies to businesses located elsewhere in the world, that collect, process or store personal data relating to individuals (data subjects) who reside in the EU.

Individuals now have specific rights concerning their personal data, where it is stored and how it is used. This represents a challenge and a responsibility for businesses to implement processes and technologies that ensure people’s rights are respected and upheld.

Unexpected cyber attacks

Cyber attacks, ransomware, system failures and unauthorised access have huge data security implications for companies that are unprepared. Even those who thought they were adequately protected have been subjected to data loss and compromised user accounts.

In one example, an online gaming company withdrew a game ahead of the GDPR coming into effect. Apparently, deleting players’ data on the game’s ageing 2009 platform was extremely difficult. Under the GDPR, individuals have the right to be forgotten. But the firm could not enable this capability without completely rewriting the game and moving it onto a new platform which, unfortunately, was not an affordable option.

Some tech companies have opted for an alternative solution and simply blocked EU residents from purchasing their products and services.

Meanwhile, many international publishing houses are struggling to find day-to-day solutions to the demands of the GDPR.

So, 9 months in… how are companies coping with GDPR compliance?

While some businesses enjoy the luxury of blocking EU residents from purchasing their products and services, others must be GDPR compliant in order to continue operating in their core markets. Consequently, they have had to implement additional capabilities.

To achieve GDPR compliance, companies must be able to present all of the data they have collected and stored on an EU customer. They must be able to provide that data when responding to a Subject Access Request (SAR). They must also be able to amend the data if it is incorrect, and delete it upon request. Additionally, they must be able to transfer the data to a third-party in a machine-readable format.

To be able to complete these, and other tasks, many companies have had to update and enhance their IT systems. They have also had to sharpen up their data management skills and create new procedures to obtain appropriate consent from customers, in order to respond to SARs.

Companies who fall foul of security breaches, or simply fail to comply through negligence risk facing the daunting prospect of punitive fines and reputational damage.

Some of the potential losses that businesses could face include:

Reputational damage

Companies that fail to be GDPR compliant and misuse people’s personal data are likely to find themselves in local, or national news. In the case of Facebook and Cambridge Analytica, the news od data misuse travelled across the globe almost instantly, causing the eventual demise of Cambridge Analytica and much egg on the face of Facebook. An investigation by the ICO can also lead to claims of negligence.

Data breach – first-party costs

In the event of a serious data breach, the company must, within 72 hours after becoming aware of the breach, notify the Information Commissioner’s Office (ICO) or, for non-UK companies, their appropriate EU data protection authority. They must provide full details of how the data breach occurred and what is being done to manage the breach.

Data breach – third-party litigation

Data breaches can cause a negative impact on individuals and often lead to third-party litigation with a view to seeking damages.

Company directors / Business owners

Company directors and small business owners alike can find themselves under the spotlight if they fail to demonstrate that they have acted diligently to ensure their company is GDPR compliant and that appropriate measures have been implemented to maintain compliance.

The GDPR requires new operational practices by companies and imposes serious penalties on those that do not meet the required standards. Having considered the implication and consequences, most businesses have taken advice from suitably qualified data privacy practitioners and have invested time, finances and resources in enhancing their data security systems and processes in order to be compliant.

Has your company achieved GDPR compliance?

Are you able to demonstrate to its customers that their privacy and their personal information is being treated with the care and respect that it deserves?