Vector
Vector

Choose your topics

Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Blogs
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Vector-1
Data Privacy, GRC

GDPR a Year On - What Difference Has It Made?

GDPR a Year On - What Difference Has It Made?
Written by

Alex Hollis

Published on

20 May 2019

GDPR a Year On - What Difference Has It Made?

 
 

With GDPR coming into force on May 25th 2018, what difference has it made a year on? Alex Hollis, GRC Practice Director at SureCloud, discusses what changes businesses have had to make as a result in terms of their data handling and storage, and what the future of data protection means for companies.

Alex Hollis, GRC Practice Director at SureCloud reports:

Were the expert’s predictions accurate?

In reviewing web trends last year we can see a considerable spike building towards the May deadline then falling away sharply, by August 2018 the number of searches for GDPR has dropped back to the same level as two years prior. The experts within the space predicted that there would be many fines with the German state regulators and French agency, CNIL, leading the way. It was also anticipated that US tier-1 or tier-2 technology firms would be under investigation. The prediction has come true with lots of activity from these regulators with over 100 fines to date and at the start of this year with Google receiving a massive €50 million penalty and investigations ongoing into YouTube with a potential fine of €3.87bn. There have also been over 60,000 data breach notifications reported to the regulators, the penalties and sanctions for these will likely be still to come.

Within organizations, the predictions have not been as accurate. Despite the initial rush of companies to appoint a DPO, train staff, change processes and purchase tooling, much of the energy leading up to the deadline has dissipated, and the predicted scare of the fines has not been as effective. The initial reaction from most companies was to update privacy policies and update supplier contracts, which translated to none of the intended effects of the regulation. Organizations who went further became acutely aware of the mountain of data they hold and retain with a ‘just-in-case’ attitude. The task of unpicking decades of data, while also adapting to change in the business, determining the source, the method of consent, correct retention, and lawful processing feels like a never-ending one. It would be fair to say most companies are working towards being compliant; however, without the pressure, most are becoming worryingly comfortable in the ‘working towards compliance’ state.

There are some exceptions to this, with companies who have recognized the spirit of the regulation and have huge leaps in the maturity of their privacy programs. They are not only moving close to compliance but are also much more transparent and knowledgeable with how they are handling data, with some even identifying efficiencies and opportunities through this exercise.

The role of the data subject has also not been embraced as predicted. GDPR was also a move to ensuring there is more value placed by the individual on how their data is used. While there are many disgruntled people, who have wielded GDPR as a method of attacking companies with whom they hold a grudge, the shift for respecting our data privacy has not been realized. Most website users have been freely clicking the privacy notices without any change to their appreciation of how their data is being used. The regulators have responded to this by criticizing that websites are not affording users the option to ‘opt-out.’ This challenge rocks the very foundations of the internet and ad-revenues and perhaps will force more of a change.

Has GDPR effected the US? 

The conversations I have had in the US is that EU citizen data is treated as a separate privacy problem, but that view is going to be challenged with the California Consumer Privacy Act coming into effect in 2020. It seems governments recognize the need for the regulation and will increase the pressure globally.

What does the future of data protection means for companies?

As we move into 2019, there will be more fines from the regulators to come. The penalties against Google will be fought out through various legal processes and are unlikely to result in any casualties and as such won’t create the desired motivation. The regulators may then move their focus to mid-tier organizations, which are not as well-resourced to fight and likely haven’t taken as many steps around privacy. As such the impact of the fines will be more dramatic. Many comparisons have been drawn with Sarbanes Oxley, and it wasn’t until people started going to prison that companies and more importantly the people in those roles began paying attention. Similarly, with GDPR the fines need to generate the impact to motivate.