When GDPR came into effect three years ago, it only impacted companies somehow doing business with Europe. While that encompasses a large swath of businesses, many enterprises had nothing to worry about.
But GDPR Compliance is now something nearly all business have to contend with. GDPR is the basis of new rules in new places such as the California Consumer Privacy Act (CCPA). In short, GDPR is nearly everywhere.
Meanwhile, many still struggle with compliance three years in, and even those that had a handle on GDPR early on have seen their business change in ways that must continually adapt to compliance rules.
Meanwhile, enforcement of GDPR and GDPR-like rules is getting stricter, fines remain steep, and compliance investigations are intensely disruptive.
Progress knows that not everyone has a handle on GDPR Compliance, so we went to the experts at Osterman Research who wrote a guide ‘GDPR isn’t Getting Any Easier – How to Master the Tough Parts’ to lay out the issues.
The experts from Osterman detailed what GDPR is and how it has changed over the years. Understanding the rules, along with new adaptations and related regulations are key to compliance.
Non-compliance first of all means that your environment is not secure, so even if you technically don't fall under GDPR regulations, it is a good practice to act as if you do. Fines for non-compliance are increasing, as in they are given out more frequently – and in larger amounts. Your exposure could be up to 4% of your annual income or $24.2 million – whichever is higher.
Meanwhile, running afoul of GDPR rules means an intensive investigation which disrupts your business, and regulators can even restrict your existing processes or stop them completely.
The investigation itself might cause the biggest issues. “Investigation by a supervisory authority will likely create significant disruption across an organization, creating even more financial impact, loss of confidence from customers, prospects, stakeholders and employees. It might also impact shareholders’ support and the share price for a public company. In addition, there is the added risk of the auditor finding additional issues that could require further investigation and remediation,” the Osterman report pointed out.
The Importance of Data Governance
Good data governance is key to compliance. Records must be kept of all relevant processing activities that involved personal data. And this data must be treated with care, including encryption when in motion and at rest, only gathering personal data when it is absolutely required, and only processing personal data when that is completely necessary as well. When data is moved, it must be moved safely, sent only to those with the authority to view it, and sent in a secure and trackable way.
The Need for Deep Data Protection
Osterman argues that “data protection must be by design and by default”, and that “This requirement is in service of the overriding principle of minimizing damage to the rights and freedoms of data subjects, and includes the mandate for both robust organizational and technical measures.”
In fact, fines against such companies as Telecom GmbH and Marriott International are for “insufficient technical and organizational measures to ensure information security”.
Cyber security must be both broad and deep. “All endpoints, gateways, web applications, cloud services, etc. must have robust safeguards to prevent unauthorized access, stop unauthorized changes, and protect any type of personal data from malicious threats that attempt to compromise data integrity,” Osterman argued. “Anomalous activities should generate alerts for further investigation, and in high-risk situations, begin automated actions that safeguard personal data. Security tools should also continually assess endpoints, servers and other systems to new threat possibilities to determine if there are out-of-date and unpatched operating systems and applications.”
Get the Full GDPR Skinny
Secure File Transfer Vital for GDPR Compliance and Overall Data Safety
Many data breaches occur when files are moved within your organization or to partners and other organizations with a vested interest. These breaches come with GDPR investigations and often crippling fines. With MOVEit from Progress, you can establish secure collaboration and automated file transfers of sensitive personal data. These files are not only moved safely, they include encryption and activity tracking to ensure compliance with GDPR, as well as PCI and HIPAA.
This way you no longer rely upon your employees emailing personal data to other employees or outside entities, or using insecure file sharing services. With Managed File Transfer (MTF), you eliminate user error and can track and report the details of every file transfer.