Fear is a great motivating factor for people to start complying with previously ignored rules and regulations – whether that applies to COVID19 or GDPR. Take for instance the increasing number of anti-maskers suddenly masking up following spiking numbers of COVID-19 deaths in their area. Like most of us not believing authorities’ dire predictions until they hit home, people still tend to be reactive rather than proactive – and even more so when an ongoing situation is rife with uncertainty.
The story of GDPR preparedness seems to follow a similar path. Although introduced in May 2018, with no dearth of heavy fines hitting businesses, there are still an overwhelming number of EU, US and UK businesses that are not fully GDPR compliant, with some that not yet even have begun their GDPR initiatives.
Like COVID-19, GDPR doesn’t seem to be going away anytime soon, although some businesses would probably like it to. So why, after more than two years, are so many organisations unable to rise to the challenge?
GDPR is a hard act to follow
Since it came into force in 2018, GDPR has caught on around the world like a highly contagious virus. And as more data privacy regulations pop up (e.g. California Consumer Privacy Act, Brazilian General Data Protection Law (LGPD),India Personal Data Protection Bill,Chile Privacy Bill Initiative, New Zealand Privacy Bill etc.), germinate and spread across the world, organisations are increasingly becoming unsure of how to proceed. The complexity of an ever-expanding global regulatory framework has become just overwhelming to businesses who don’t have proper tools and strategies in place. It is obvious that the difficulty in understanding the legislation and knowing when and how to report and how to deal with incidents has been a deterrent for organisations wanting to meet the GDPR compliance challenges, severely undermining their confidence in their ability to do so.
Meanwhile, no one is cutting those unprepared companies any slack; just in the last 10 months alone, the EU authorities stepped up on non compliant businesses by handing out a whopping 160,000 violations. This represents a 260% increase in violation reporting compared to 2018 to 2019. So, while companies are busy scrambling around to find tools and put solutions and processes in place, other less fortunate organisations are already paying over €175 million for fines issued in 2020 – with 45 fines issued in October 2020 alone!
Fear of Flying during COVID-19
Beware: in case you thought COVID-19 might be a nice excuse to give to the local data protection authorities (wherever you are) when they knock at your front door, don’t count on it. Although British Airways is already incurring huge losses from the COVID-19 travel fallout, they were just slapped with a fine of £20 million for a 2018 data breach that had exposed the data of over 400,000 customers. Undetected for two months and caught only by a third party, the breach, exposing personal data like employee login credentials and credit card information, caused tremendous harm to BA’s reputation.
So watch out – although a recent ICO decision reduced the original fine down from £184 million to £20 million, (owing to BA’s recent COVID-19 business losses combined with improved security solutions now in place) no one should get complacent. This breach was considered a severe failing because of the number of people involved and class-action lawsuits that might follow could yet bring them more grief.
Unmasking the Solution: VinciWorks’ GDPR Reporting Portal
Aware that companies have found GDPR compliance more difficult than expected, VinciWorks has built a GDPR breaches reporting portal to guide organisations through the complex process of GDPR incident tracking and reporting no matter what internal level of GDPR knowledge exists.
Powered by our data collection tool, Omnitrack, our completely customisable form takes the submitter and the reviewer of the incident through an unfolding logical reporting decision tree using GDPR and relevant national and local data protection legislation as its frame of reference. The beauty of the solution is that it can effortlessly be adapted to the internal workflow and business processes of the organisation and so is suitable to every organisation, big or small, national or international.
And for those finding the legislative logic daunting, learning has been built into the system to unravel the complexities of GDPR compliance as the suspected breach incident information is inputted for potential reporting. Multiple access admins, timed automatic reminders, full audit trail, and built-in reporting related features add up to a simplified yet sophisticated tool that will guarantee cost-effective GDPR compliance.
What goes around comes around
Gradually and perhaps grudgingly, we must internalise that we could be the next target of the ICO. It’s time to weigh the risks and make the investment in having the right paraphernalia and doing the right thing for everyone concerned – that being our business and our consumers. Slapping on the mask after those invisible particles – be it data or viral – circulate around the globe is not going to stop you from becoming known as a careless super spreader of someone else’s personal data.