Enforcement of GDPR went into effect on May 25, 2018. One year later, how is the risk management industry handling compliance with this sea change in data-privacy regulations? We spoke with Scott Wilson, chief security & privacy officer at Ventiv Technology, about how companies around the world are responding to GDPR.
On the one hand, according to research released by Cisco in January, a sizable percentage of businesses (38 percent) didn’t expect to be compliant until early 2020 or later. On the other hand, to date there haven’t been as many GDPR enforcement actions as many observers expected—despite more than 200,000 cases having been referred to data protection authorities (DPAs) across Europe and 64,000 data breach notifications.
In total, €56m in total fines were handed out across Europe in the last year. Most of the fines were issued against small to midsized businesses, although the €50m levied against Google drew the most attention as well as the lion’s share of the total fines.
Wilson says, “In general, companies expect to see many more enforcement actions in the future. The regulators are warning that there are many more actions in the pipeline.”
How are businesses really responding to GDPR?
There is a definite desire to be compliant, which is seen in the hiring of data protection officers (half a million companies have registered DPOs in the past year according to IAPP). Then there’s the surge in global spending on security-related hardware, software, and services (forecast by IDC to reach $103.1 billion in 2019, up 9.4 percent from 2018).
According to Wilson, however, achieving GDPR requires an ongoing, company-wide commitment: “The companies well on their way to GDPR compliance are those who have established risk processes and also incorporate data privacy into their business framework as a whole. The companies in the best position see GDPR compliance as an ongoing effort. They’re devoting the necessary time and money to getting it right.”
What is the general attitude to GDPR?
For every prepared business, there are plenty more that are struggling to comply with GDPR, but Wilson says this is to be expected: “Cyber security is still a young field from a corporate perspective. Chief information security officers didn’t start being hired until the mid-1990s, and many businesses today still don’t have a chief information security officer or chief privacy officer. Many organizations simply don’t know how to protect their data.”
“When I speak to risk managers,” Wilson continues, “many are concerned with how to keep on top of GDPR compliance efforts. Speaking to technology partners, as well as keeping up to date with industry news, should help inform managers of changes. Partners should also be able to support compliance efforts with their products. Ventiv, for example, has been helping clients across the globe manage their data to GDPR standards through the Data Governance module.”
What should we expect to see next?
“We are currently still in a ‘wait and see’ situation,” Wilson says. “When we see consistency in enforcement actions, there will be an uptick in compliance from companies. There are some interesting cases going through European Courts of Justice, at the moment, and when we have good case law we can better understand the expectations from regulators.”
And what about the data-privacy regulations being rolled out in other countries? Wilson sees data protection and privacy regulations in the United States (at both the federal and state levels) as something businesses should focus on. The most well-known reform currently is the California Consumer Protection Act (CCPA), which will come into force in 2020.
“Interestingly, we are not getting many questions or inquiries from organizations in Europe about the CCPA,” Wilson observes. “It seems at the moment that risk managers don’t realize that this U.S. legislation, and others across the globe, will affect their business. Now is the time to speak to suppliers and other third parties, like Ventiv, to find out what this will mean for them.”
