I recently joined up with Airmic to host a webinar on the subject of the General Data Protection Regulation (GDPR); a timely issue as we continue to see massive companies such as British Airways, Facebook and Marriott hitting the headlines for large-scale data breaches. Despite the implementation of the GDPR back in May, we are still encountering regular reports of data privacy and protection breaches. Data protection is no longer merely an issue for company executives; the increased awareness of the data protection issues and fears about the misuse of personal data are firmly embedded in the public consciousness and privacy has become more than just a check-box exercise.
Since May, data protection regulators across Europe have been overwhelmed by an avalanche of both breach notifications and privacy violation reports, for example, the French data protection regulator, the CNIL, and the Belgian Data Protection Authority are reporting upwards of 7-10 breaches per day. However, despite the huge number of reports, the first formal enforcement action issued in relation to GDPR only occurred in September, when a Canadian company was handed a notice ordering it to “cease processing any data of UK or EU citizens for the purposes of data analytics, political campaigning or any other advertising purposes”. Subsequently, we’ve seen German regulators shutting down websites for inadequate privacy notices and the Portuguese regulator recently issued a 400k euro fine against a hospital for insufficient access controls. It may come as a surprise that despite the wide reporting of data breaches, it took so long for the first enforcement notice to be handed out, but regulatory authorities have been quietly reporting that GDPR enforcement actions are coming.
A global groundswell
It isn’t just a European issue, we have seen a global groundswell of support and a push for better data protection and privacy laws elsewhere in the World. India has taken its first steps towards the implementation of a data protection law with the submission of a draft legislation entitled “Personal Data Protection Bill 2018” in August, and California recently passed the California Consumer Protection Act of 2018, much like the GDPR in many ways, the Act extends the definition of personal data to data concerning “households” and that which can be inferred from personal data. Australia, Canada, China and Russia are also in the process of establishing their own regulatory regime, though those of both China and Russia are expected to be much stricter.
Many of these new regulatory regimes contain similar elements to the European GDPR such as;
Data protection and regulation is firmly on the global agenda and this has clear implications for companies who transact business globally. Eventually they will encounter a law that they must comply with, and they must take a broader data governance strategy to enable them to stay ahead of the regulatory curve.
As a company specialising in risk management software, Ventiv has access to large amounts of data and our clients rely on us to ensure that data is protected and processed in a compliant manner, whatever country they reside in. We’re proud to have recently achieved ISO 27018 accreditation from the International Organisation for Standardisation (ISO), the first in our market to do so. This is a voluntary accreditation but we believe it’s important to demonstrate that we have robust privacy measures and strong data governance and security programmes in place to protect our clients’ data, although currently not mandatory (yet), over the next 2-3 years I believe we will inevitably see a significant increase in compliance with internationally recognised standards to demonstrate to customers that companies are serious about protecting their data.
Dec 19, 2018