GDPR: Early implementation and Covid-19 fallout
When the GDPR was first introduced, it was hailed as a truly human-centric piece of legislation, focused on ensuring that organisations could no longer misuse personal data as a standard practice in their operations. However, it was unclear for some time what organisations could expect from the regulators if they were found to be in breach of the law.
There were blurred lines on what it was, its practical outworking, and its enforcement. This laissez-faire approach toward GDPR compliance was exacerbated by the onset of the COVID-19 pandemic, which saw regulatory attention shift towards helping organisations weather the storm rather than towards enforcement.
The post Covid-19 landscape
Now, it has become clear that regulators are determined to penalise non-compliance and reverse the ubiquity of breaches that, according to the ICO, have become more frequent. The reality is that many organisations, across regulated and non-regulated industries, have been paying lip service to true GDPR compliance.
This is evidenced in that most organisations are still using production data in non-production environments for testing, development, and training. Legacy systems and techniques which do not deliver true anonymity are still commonplace - in breach of GDPR rules.
Legacy data manipulation challenges
Techniques such as masking and anonymisation, which are most often used to protect customer data, have some critical weaknesses, namely:
- destroying key statistical relationships in the original data,
- being time-consuming and resource-intensive,
- vulnerability to being ‘unmasked’ to reveal the original data.
These weaknesses limit both the utility of the data and the ability to share data more freely, and the whole process can take several months, which reduces organisations’ capacity to collaborate and innovate.
Of greater concern is that re-identification algorithms may be used to reveal data that has been insufficiently masked to identify individuals and reveal sensitive information about them. Masked data may not directly identify individuals, but will do so when used in combination with other data, and some attributes may be uniquely identifying on their own.
Escalating GDPR penalties: can you afford the risk?
The significant increase in fines for GDPR non-compliance, from €158.5 million in 2020 to just under €1.1 billion in 2021, is a signpost for what’s coming ahead if organisations continue to ignore GDPR laws. Regulators are evermore determined to ensure that data laws are enforced. Over the next few years non-compliance will result in a more difficult business environment for companies to operate in, along with increasingly punitive fines.
Are you prepared for the changes that are coming as a result of greater enforcement in data laws? Is your company at risk of facing hefty fines due to non-compliance? Do you want to learn more about the potential reputational fallout and impact on product development and innovation?
If you’re eager to prepare your organisation for the inevitable scrutiny and learn how you can hedge your organisation against the enforcement of data laws watch our webinar highlights or get in touch.