GDPR – One Year Later…

It has been a little over one year since the European Union’s General Data Privacy Regulation (GDPR) took effect in May of 2018. The new requirements not only impact businesses located in the EU, but businesses around the world doing business in the region. Like PCI DSS (Payment Card Industry Data Security Standards) and other regulations before it – GDPR compliance is still a work in progress.  Organizations are encouraged to monitor the European Data Protection Board website to keep up to date with their country’s Data Protection Authorities (DPA). Penalties are severe for non-compliance in terms of fines and your business’ reputation so companies can’t afford to sit back and take a wait and see approach.

What have we learned? First, GDPR is a major challenge for many companies when it comes to getting board approval for financial and personnel investments. The threat of large fines and sanctions captured their attention early on, but the challenge is committing the necessary resources on an on-going basis. It is important for your business to document their policies and procedures. If you’ve been given approval to hire or contract a privacy professional, you will find they are in high demand. Finding the right people is key.

DPAs have imposed fines to several companies in the first year indicating they are serious about enforcement. Early on, DPAs were more lenient about giving companies time to comply, but the honeymoon period appears to be over. If you clicked on the link above to the European Data Protection Board’s website one of the first things you will see is an article titled, “First Significant Fine Was Imposed for the Breaches of the General Data Privacy Regulation in Lithuania.” The company fined in this instance is accused of three infractions: (1) improper processing of personal data, (2) publicity of personal data, (3) failure to give notification of personal breach. The GDPR: Report cites fines imposed to several other organizations. One to a Polish company for failing to inform people their data would be processed and another from the Dutch DPA sanctioning the country’s tax authorities for using the national identification number unnecessarily for self-employed workers. Their sanction stated that the use of the national identification number for this purpose increases the risk of identity fraud and has no foundation in law. The Malta national land register is under investigation for how they handled a data breach.

Several of these examples hit close to home. The Property Records Industry Association (PRIA) tackled redaction of Social Security Numbers from land records more than a decade ago. While many states passed redaction legislation, other states took alternative approaches placing the responsibility on the filer. All states attempt to limit the acceptance of SSN where it is not necessary.  Courts in the US are also aware of the sensitive data they handle and trying to determine how to handle moving forward to limit exposure.

GDPR has influenced the California Consumer Privacy Act (CCPA), which goes into effect in January of 2020, and is focused on data subject rights. It does not however, include the sanctions and accountability outlined in GDPR. Brazil’s General Data Protection Law takes affect shortly after California in August of 2020. More countries are sure to follow as they strive to protect data subject rights and enforce data breach and accountability requirements.

If you’re interested in learning how Extract helps companies meet privacy requirements by automating the redaction process, please reach out today.