The European Union’s (EU) General Data Protection Regulation (GDPR) has been in effect for over a year now. GDPR’s key objective was to empower people with more control over their personal data. GDPR requirements have impacted compliance and forced an evolution in the privacy landscape. With potential penalties of up to €20 million, or 4% of the worldwide annual revenue, GDPR has pushed organizations to better protect the personal data with which they have been entrusted.
About a year ago, more than half of the U.S. and European companies surveyed in the IAPP-EY Annual Governance Report 2018 were unprepared for GDPR. Even now many organizations still struggle to comply and are at various stages in their GDPR journey. According to an April study from Possible Now, only about a quarter of U.S. companies are fully compliant with GDPR.
In addition to GDPR, organizations now need to comply with newer data protection laws and breach notification regulations — many influenced by GDPR. The recent increase in data protection laws has placed stringent requirements on companies before they move any data about a citizen out of that citizen’s country. For example, in the United States, the California Consumer Privacy Act of 2018 (CCPA), which goes into effect on January 1, 2020, gives Californians broad digital rights. The EU is also currently considering a new ePrivacy Regulation, or ePR, that could supplement GDPR and address handling of electronic communications, such as cookies and location data.
GDPR-related enforcement actions have been performed by various EU data protection agencies, with the fines levied against big organizations making headlines and serving as wake-up call on the ramifications of non-compliance. According to a recent survey, about 60,000 breaches were reported during the first eight months and about $62 million in fines were imposed in the first nine months. In January 2018, Google was fined $56.8 million by the French data regulator CNIL for failing to sufficiently inform consumers about collecting personal data used in online ads. In July 2019, British regulators proposed a fine of $230 million fine against British Airways for insufficient security that led to a 2018 data breach where hackers used a digital card skimmer script to steal personal and financial details of 500,000 customers via the company’s website and mobile app.
The road to GDPR compliance includes classification and monitoring of personal data. However, identifying, indexing and effectively tracking activities against GDPR-regulated data in large complex business landscapes requires actionable visibility into data managed across legacy, custom-built and commercial business applications and databases. Pathlock’s Application Security Monitoring solution accelerates detection of potential data breaches with non-disruptive data discovery as well as rapid auditing and reporting of user activities across business applications. Pathlock streamlines compliance with global data breach notification while also proactively capturing the evidence to support post-breach investigations.
Find out how to use Pathlock for discovering and monitoring your GDPR-regulated data.