4 years of GDPR: so what?
According to research by Domo, 2.5 million Terabytes of data are produced every day, and
90% of the data currently available was generated in the last two years.
The giants of the technology world have been putting this refrain into practice, exploring what they know about us from the treatment of our personal data.
It is worth remembering that this data processing brings numerous benefits not only to companies, but also to society. Greater knowledge of people and their habits brings new business opportunities, such as personalized offers and cross-selling, as well as improving your customer services and increasing your retention rates. Companies are also able to create products and services that meet the needs (old and new) of their customers.
However, these benefits come with some risks. As data has more and more value in our society, malicious people have taken advantage of the lack of protection mechanisms to gain access to data and misuse it. They can use this data to commit crimes, sell it to or obtain financial advantages through software that hijacks the data and demands a ransom payment usually through cryptocurrencies.
Thus, it is the obligation of companies to protect the data of their customers, suppliers, partners and employees from corruption, compromise and loss. The protection of this data involves actions such as the implementation of backup mechanisms and disaster recovery, protection against malware and ransomware and access control to the data handled by the organization.
Many governments, aware of these challenges, have created specific laws with the aim of establishing requirements for organizations to protect the personal data of their residents. China, United Arab Emirates , Turkey and Brazil are some examples of countries that have entered the list of countries with specific data protection legislation.
It is worth remembering, however, that all these countries relied on European legislation to develop their laws for the protection of personal data. It is important to emphasize that the concept of personal data protection is not new: the European Convention on Human Rights of 1950 already established that “everyone has the right to respect for family and private life, their home and correspondence”. Since then, Europe has sought to guarantee the protection of this right through its legislation.
With the rise of the internet and computer networks, Europe recognized the need to modernize these protections. Thus, in 1995, the European Data Protection Directive, also called Directive 95/46/EC, was passed. Still only as a directive, that is, without the power of law, Directive 95/46/EC established minimum data privacy standards and security standards, on which countries were based to create their specific data protection laws. There was a latent need for a law that would unite the member states of the European Union around the protection of personal data.
The General Data Privacy Regulation (GDPR) began to be thought of long before it came into force. However, it was only in May 2016 that the European data protection law was enacted, with its effects taking effect two years later, on May 25, 2018. Considered a watershed in this regard, the GDPR introduces a series of of guidelines and requirements that must be met by any company, located or not in Europe, for the processing of personal data of its residents.
Recommended by LinkedIn
The first of these is the scope of action of the law. While previous laws applied to data located in Europe, the new legislation expanded this scope to any data from European residents, regardless of where they were located.
Second, the introduction of heavy fines for non-compliance. GDPR introduces two penalty levels, which can reach €20 million or 4% of global revenue (whichever is greater). Not to mention the damages that victims of data breaches can claim in court against companies.
Other rights established by the GDPR include the right to be forgotten, in addition to the consent of users for the treatment of their personal data and the possibility of correction and removal of the data in case of request from the holders.
Despite this, despite 4 years after its entry into force and millions of euros in sanctions, many companies still face difficulties in adapting to the GDPR. And the numbers are alarming. According to a study by Capgemini, a year after it went into effect,
only 28% of organizations surveyed believed they were GDPR compliant.
And whoever believes that only Small and Medium Enterprises cannot adapt is wrong. Leaked documents from a third-party company showed that Facebook does not know where all user data goes and how it is processed. And the social media giant is not alone: Amazon and Google are also among the companies that have had millionaire fines imposed by the authorities. Amazon even broke the record for the largest fine imposed by European authorities: USD 877 million!
And with the decentralization of data through the adoption of cloud-based services, it creates even more complexity for companies, affecting the visibility needed to protect that data, increasing the efforts needed to protect the processed data and paving the way for even higher sanctions.
In my opinion, the process of complying with GDPR (and with any data protection legislation) starts with proper mapping. Where is the data stored? How are they processed? What mechanisms are needed to protect them? From this mapping, Security leaders will be able to establish an appropriate strategy for compliance.
And compliance must be an ongoing exercise. Just because an organization was GDPR compliant on a specific date doesn't mean they shouldn't assess how they handle personal data. After all, the continuous assessment of security processes and mechanisms is a way to considerably reduce the risk of multi-million fines, which can significantly affect business continuity.