As advanced economies begin to emerge from the pandemic, more companies are declaring themselves open for business. It begs the questions: Are regulators open for business as well? Did they ever go away?
Well, just like many other businesses; regulators and watchdogs went remote and adjusted their protocols, but they did not go away.
Perhaps a better question to ask, amid the upheaval of COVID-19 and the challenges it’s put on business: Did regulators ease up on some rules to give companies breathing space in the pandemic?
Take the European Union’s General Data Protection Regulation, which came into effect three years ago. The law, designed to address the transfer of personal data outside the EU and European Economic Area and give individuals control over their own information, brought a seismic change to any company managing the information of individuals and doing business with the 27-nation bloc.
The legislation paved the way for EU countries to levy fines on companies of as much as 4% of annual sales for data breaches.
Spooked by the threat of staggering penalties, organizations sunk eye-watering levels of resources into compliance ahead of enactment of GDPR. Almost eight out of 10 U.S. companies took steps to prepare for the rules, with 27% spending more than half a million dollars to become compliant, according to LegalJobs, a recruitment platform for legal professionals.
As the pandemic took hold last year, according to Omer Tene, vice president and chief knowledge officer at the International Association of Privacy Professionals (IAPP), regulators recognized the unique circumstances businesses encountered as supply lines were disrupted, business relations upended, and entire workforces moved to work from home. But as companies return to normal operations, it’s to be expected that data protection authorities will “shift gears and accelerate enforcement procedures, including in hot-button areas such as ad tech and global data transfers,” Tene says.
We track the fines, and we’ve actually seen a trend toward increased penalties.
Of course, no regulator is going to concede that any rules and compliance were relaxed during the pandemic. For its part, the U.K.’s Information Commissioner’s Office stated it would be “flexible” in its approach and focus on “the most serious risks and greatest threats to the public.” Last month, Dominic Cummings, the controversial former top adviser to Prime Minister Boris Johnson, said in a parliamentary hearing that he told agencies to ignore the EU data protection laws in order to help coordinate Britain’s response to the pandemic.pa
Hilary Wandall, senior vice president of privacy intelligence and general counsel at TrustArc, an information governance and data security adviser, says that while there may be a perception that GDPR enforcement in a general sense has slowed, more penalties are in fact being handed out.
“We track the fines, and we’ve actually seen a trend toward increased penalties,” says Wandall.
She highlights the 6 million euro fine handed out to CaixaBank by the Spanish Data Protection Authority (AEPD) earlier this year for failing to process personal data lawfully and not providing customers with adequate information about privacy policies. The month before, in December 2020, AEPD fined another Spanish bank, BBVA, 5 million euros for GDPR violations.
Despite the pandemic, companies should be vigilant and prepare for closer scrutiny and potentially stiff penalties, says Rene Bentvelzen, global data protection officer at Netherlands-based Unit4, which provides enterprise applications for professional services and which began a compliance and awareness initiative when GDPR went into effect.
He also says there’s more to GDPR than avoiding crippling fines and that compliance is “simply good business practice and good for reputational image.”
There are a number of steps companies can take toward GDPR compliance to avoid the wrath of regulators. A good start is deciding which regulations apply, Wandall says. Companies must consider how the regulations relate to each other, then craft a programmatic approach.
Wandall recommends using a framework structure to underpin governance. “You need people who understand the legal requirements, but also the engineers developing the software solutions need to know how to build privacy in,” he says. “It’s all about how you are managing data for optimal value and how you are managing the risk.”
It’s all about how you are managing data for optimal value and how you are managing the risk.
Brian Spanswick, chief information security officer and head of IT at Cohesity, a data consultant, emphasizes that there is nothing new under the sun when it comes to conforming to GDPR. Companies can improve privacy and visibility by encrypting confidential data both in transit and at rest; limiting or eliminating options that allow users to download confidential data to personal machines; and using secure networks with virtual private networks when accessing confidential data.
“People need to remember that these privacy protections are gaining traction for a reason, and it’s not just compliance to the regs,” Spanswick says. “It’s also about being good stewards of our customers’ and partners’ data.”
To do that, enterprises need to stay ahead of the bad guys, who are looking to exploit vulnerabilities and misconfigurations in endpoints and across networks. Using an appropriate platform for security configuration management, one which offers real-time data and remediation tools, can help CISOs and IT Ops leaders not only improve IT hygiene but gain near-instant visibility across tens of thousands of endpoints on their networks.
It’s not just about compliance to the regs. It’s also about being good stewards of our customers’ and partners’ data.
These platforms also offer metrics for key reporting and compliance audits in real time, which boosts security and productivity, because workers don’t have to cobble together data from multiple tools by hand. This simplifies workflow, eliminates tool sprawl, and puts compliance data in one place.
Many commentators agree that as we emerge from COVID-19, companies will be tempted to ignore GDPR and other privacy regulations, and it’s incumbent upon their legal and security aides to impress upon them the perils of doing so.
“It’s highly possible that GDPR compliance has become less of a focus for some organizations,” says Oliver Cronk, chief architect for the EMEA region at Tanium. “I believe some oversights could happen which will incur large GDPR fines over the next year or two.”