What impact has the new data protection directive had on businesses so far?
Everyone who expected immediate headline-grabbing penalties must be disappointed. Although the EU Commision received complaints on companies such as Facebook, Google, Instagram and WhatsApp within hours of the new data protection law taking effect, nothing massive has happened yet. And as the new directive increases the maximum potential fines up to €20 million (£17.6 million) or 4% of global annual turnover from the €551,000 (£500,000) penalty proposed in the “original legislation”, the interest of media won’t wear off any time soon.
How did the situation look like right before GDPR was enforced?
Long before GDPR’s strict directives went into effect, experts at ESET had assessed readiness for this capital change in data protection through the company’s compliance check form and, in the half-year period between November 2017 and May 2018, collected data from over 27,000 participants – mostly from European Union (EU) countries, where the free online assessment was actively promoted.
This compliance check uncovered various interesting facts about businesses in the EU. For example, it is now clear that most companies hold personally identifiable information (PII) on both customers (82.6%) and employees (70.2%). Moreover, slightly more than one fifth of the participants disclosed that they hold additional PII such as biometric and health data .
“An audit of data collection and processing might be the most useful thing any company can do with respect to GDPR. Even now, just a few months after this directive is active, it is the easiest way to make sure you won’t omit anything when finally setting things up to work in compliance with GDPR,” said Tomáš Mičo, ESET’s Senior Data Protection and Licensing Lawyer. “Whatever the outcome, it will give the company a fair outlook for the future and a view of the investments needed. With budgeting season peaking, this might be the best time of the year – if you haven’t done so already.”
At the same time, more than half (56%) of the companies admitted they haven’t performed an audit to make sure their company’s PII collection policy complies with GDPR, from what sources the data come, and with whom they share these data. Slightly more than half of these organizations (51.4%) had not documented their technical and organizational security measures applying to how these records are being processed. And just half a year before the GDPR deadline, only 47% of the key people in these companies were fully aware of all the rules changing due to GDPR.
Security in the new era of data protection
ESET’s compliance check went even further and inquired about the technical measures companies apply to prevent unauthorized access and use of personal data by cybercriminals.
Of all types of cybersecurity protection, the most used was software for malware detection and protection (90.6%). Further, the companies rely on browser protection software (87.8%), firewall (83.6%), access-restricting software (83.7%) and password-protected Wi-Fi networks (81.9%).
When asked about encryption software – the key method of protecting PII as mandated by GDPR – before the directive came to force, only one third of the companies surveyed had some of this personal data protection method implemented. Among the companies surveyed, the most commonly implemented encryption was for email (32.5%), followed by local file encryption (31%), and then network/cloud encryption (30.5%).
“Looking at the collected data I am quite surprised that only quarter of participants have in place software that encrypts contents of disks and USB sticks. The loss or theft of any device containing unprotected sensitive and personal data means undisputable danger to the companies concerned,” explained David Tomlinson, Manager of ESET Endpoint Encryption. “Since GDPR came into effect, we’ve seen a continual rise in those adopting encryption software, so the number might be expected to be higher now than few months before, although there is no data yet to support that view.”
GDPR is here. Although Data Protection Regulators (DPAs) have been magnanimous with regard to meeting out fines in these first few months after the inception of GDPR, and the EU Commission may have spared a couple of million in penalties here and there, the time for massive fines is yet to come. So, if you still haven’t made your business compliant yet, wait no longer.
For more information on the General Data Protection Regulation, ESET has a dedicated page.