Data protection authorities across Europe are extremely busy trying to protect the rights and freedoms of individuals whilst dealing with a massive number of breach notifications – the European Data Protection Board says there were more than 200,000 referrals in the first year of GDPR enforcement. With this many breach notifications in Europe, we’re seeing a growing level of enforcement.
So far, data from the GDPR Enforcement Tracker shows the financial penalties of non-compliance have ranged from small fines of just over £100 to more than £100 million. In total, authorities have issued £50 million pounds in fines, with more than £280 million pending issue. The scale of some of these fines shows data protection authorities are ready to bite when needed, but are there any trends in what they’re fining organisations for?
Four of the five biggest GDPR fines relate to Article 32
Article 32 violations vary widely, from lack of pseudonymisation and access controls to inadequate vulnerability scanning, patching and testing. That means any breaches caused by cyber-attacks would be highly visible to the public and taken very seriously. And if the data ends up in the hands of a hacker, people could be subject to fraud, identity theft, blackmail and other crimes – it’s virtually impossible to monitor what happens to the data after it’s stolen.
From a data protection authority view, it’s easy to understand why an Article 32 breach warrants a heavy financial penalty. In fact, four of the five biggest GDPR fines relate to infringements of Article 32, totalling £284 million. The Article’s focus on securing personal data is core to maintaining many of the other rights specified within GDPR. After all, hackers don’t do erasure requests.
What is Article 32?
Article 32 sets out a series of legally binding requirements for securely handling an individual’s data. Many of these were already best practice, but the fact they’re now mandatory means organisations need to pay closer attention.
Article 32 pushes Data Protection Officers into the world of the Chief Information Security Officer and gives practical advice as to what is acceptable in the eyes of a data protection authority. As a minimum to comply with Article 32:
A global movement towards increased data privacy is changing the way companies do business. Are you ready for the new era of data privacy?
Ensuring Article 32 compliance could save millions
Whilst assessing how to comply with Article 32, organisations must account for the risks in processing. This includes accidental or unlawful destruction, loss, alteration and unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. This can be particularly difficult for organisations to asses during mergers, acquisitions and organisational transformation projects. There must be elevated levels of due diligence to uphold individuals’ rights in these fast-changing environments.
Whatever the nature or cause of the data leak, events this year have provided a wakeup call for organisations to look again at their data privacy. Most organisations made sure they were compliant on 25 May last year, but data privacy is an ongoing obligation. As changes happen constantly across organisations and third-parties, they must reassess where they hold data, ensure they have the right controls in place and stress-test everything. And should engage their workforce, communicating the perils of non-compliant behaviour, poor practices and negligence. For example, we worked with a multinational pharmaceutical company to ensure they had programme management practices that could reflect evolving GDPR guidance.
They must also plan for the worst. It’s difficult to accurately assess breach impact quickly but having the plans in place to get an early understand of who’s been affected and sending the right communications will be pivotal to how data protection authorities view GDPR breaches. Considering recent fines by the ICO, taking the right actions now could save millions.