by Dr. Sanjana Mehta, Head of Market Research Strategy - EMEA
May 25 marks the first anniversary since the European Union’s General Data Protection Regulation (GDPR) came into force. After a two-year preparation process, the regulation came into effect a year ago tomorrow, harmonizing data security, data protection, data retention and data usage laws across the EU member states. It also has significant ramifications for companies outside the EU that hold personal information relating to EU citizens and organizations. Failure to comply with the GDPR can and will result in fines and other legal sanctions.
The GDPR has already had significant financial and reputational implications for organizations that are found to be in breach of the legislation. There has been a stark increase in the number of disclosed breaches as organizations embrace transparency in order to meet the 72-hour disclosure requirement. Doing so has, in many cases, helped organizations avoid financial penalties, although nearly 100 fines have been issued to date.
Data from law firm DLA Piper revealed that the UK reported the third highest number of breaches following the implementation of the GDPR, trailing only the Netherlands (15,400) and Germany (12,600). The number of reported breaches is significant and made more compelling when you consider the sanctions that compromised businesses could face if they are found to have been in breach of the legislation.
The maximum fine for a data breach or data privacy compliance failure has increased from £500,000 (in the UK) to €20 million or four percent of global GDP, whichever is higher. While the EU and its member states have yet to fully exercise the maximum penalties, we have seen Google fined €50 million by the French data protection watchdog for GDPR violations – the largest GDPR fine handed out to date. This one fine comprises the bulk of the €56 million in GDPR fines issued in the region in the last 12 months.
The importance of and need for ongoing understanding of the GDPR legislation and the best practices needed to achieve compliance were major factors behind the (ISC)² decision to include a GDPR course in our Professional Development Institute (PDI) catalog from the outset of the program.
GDPR for Security Professionals: A Framework for Success is an online self-paced course designed to help security professionals contribute to the strategy, direction and implementation of the GDPR. It is an interactive, immersive training experience that provides the tools, knowledge and resources needed to maintain organizational compliance with GDPR mandates, providing supplementary education for any cybersecurity professional tasked with ensuring the organization meets its GDPR obligations.
As we begin the second year of the GDPR era, now is the time to take stock and look at what we have learned over the last year about how we collect, use, protect and defend personal and sensitive data. Through continuous education, especially in multi-functional teams, we can improve these processes and ensure that the GDPR does not become a burden on organizations in the course of their business dealings.