2 Years Later: How Has GDPR Impacted Your Business?

June 4, 2020

In May 2018, the European Union (EU) enacted a privacy regulation that would become a turning point for data protection and cybersecurity – the General Data Protection Regulation (GDPR).

The goal of GDPR was to change how organizations conducted their data collection and storage practices. It applies to any business or individual that collects, stores, transfers, or processes personal data on EU citizens. If your business consumes the data of any natural person within the EU, you must be GDPR-compliant.

Since 2018, many organizations – small and large – have been fined by data protection authorities in the EU over non-compliance. Most notably, in January 2019, Google was fined €50M by France over a lack of transparency and not having valid consent over how it processes data to serve personalized ads.

GDPR’s Impact on Business Operations

Many US-based multinational organizations have had to consider the impact of GDPR on their international activities, not only for customers and vendors but for their global workforce as well.

In fact, many companies have been forced to shut down lines of business if they cannot financially absorb the costs related to changing business operations to comply with GDPR. This is especially true for small-medium sized businesses that have been impacted by the recent COVID-19 pandemic.

GDPR has added an additional layer to how organizations handle their consumers’ personal data, how they reduce the amount of data being transferred, or how they need to ensure data security in case of a cyber attack.

Has GDPR Been as Effective as Expected?

According to ISACA, data subjects (individuals) have shown heightened awareness over which entity has access to their personal data and are exercising more control over that data than ever before. In response, data controllers (businesses) have made significant changes to how they handle the personal data of their consumers in order to comply with GDPR.

GDPR has influenced many countries outside the EU to “adopt measures in order to harmonize their data privacy legislations with GDPR”. In this way, GDPR has provided a solid foundation for additional data protection regulations beyond just the EU. In fact, it has led to the creation of increased privacy standards outside of the EU. Most recently, the California Consumer Privacy Act (CCPA) also went into effect as of January 2020.

GDPR is the first step on the path to giving the control of personal data back to the individuals, and there is no denying its impact on the cybersecurity community at large. In fact, GDPR ownership often falls to the IT Security team, even though responsibility lies across the entire organization – from security to operations and marketing.

Unlike other security compliance regulations such as PCI DSS or ISO-27001, GDPR doesn’t include a detailed list of security controls for IT professionals to check off. Many organizations struggle to achieve GDPR compliance in the absence of prescriptive instructions.

If you are challenged with achieving or maintaining GDPR compliance, Herjavec Group recommends the following:

• Conduct a current state review of existing data protection governance, practices and controls
• Undergo a Data Protection or Privacy Impact Assessment for existing business services
• Hold a data identification and inventory workshop for the discovery of the data that you need to protect under GDPR

One thing is clear: As businesses grow and scale their operations, and cybersecurity programs along with them, they must keep data privacy regulations top of mind.

To learn more about the General Data Protection Regulation requirements, please click here.

Herjavec Group can help your organization achieve GDPR compliance. From GDPR Readiness Assessments and Data Protection & Privacy Impact Assessment evaluations to Data Identification & Inventory Discovery Workshops, learn more about our Privacy & Compliance Services and contact us to begin an assessment.