Three years after it became law, Europe’s GDPR still sets the global standard for data protection legislation.
When it comes to encouraging best practice, there’s nothing like the robust enforcement of meaningful legislation to grab one’s attention. In all areas of compliance, whether it be workforce health and safety, financial conduct or cybersecurity, it’s a willingness to enforce the rules, and penalise those who are negligent, that impacts behaviour.
Against a backdrop of state-sponsored ransomware attacks, cyber terrorism and an apparent pandemic of cybersecurity apathy, strong data protection legislation has never been more important. To be effective, a regulation’s bite needs to be as bad as its bark. Organisations are well aware that cybersecurity regulations outside the EU often lack the effectiveness of meaningful penalties and the broad cybersecurity coverage of the GDPR.
Historically, some organizations have been reticent to adopt cybersecurity best practice because it came at a perceived high cost, either in terms of capital outlay or the potential impact on network or application performance. As Einstein would have said, all things are relative.
The average cost of a data breach in 2020 was $3.86 million, not an inconsiderable sum. The number comprises the costs of identifying, escalating and mitigating the impact of a breach, part of which may include financial penalties by regulatory authorities. Traditionally, these penalties amounted to little more than a slap on the wrist, that all changed with the introduction of the GDPR.
Legislation with teeth
When the GDPR first came into effect the penalty clauses raised more than a few eyebrows. Rather than a token gesture, the regulations proposed some heavyweight fines. The maximum penalty for non-compliance was set at €20 million or 4% of global turnover, whichever is greater. For large multinationals, measuring turnover in the billions, this could be a significant sum. Any organization that thought these numbers were just scare tactics would be proved wrong.
In three short years, enforcement of the GDPR has seen fines of many hundreds of million euros handed out. Principle amongst them were the fines for Marriott International Hotels and British Airways (€110.3 million and €211.7 million respectively).
However, GDPR penalties are not exclusively financial. They include requirements for data breach public disclosure and notifications to all affected third parties. The impact of a publicly disclosed breach goes beyond just a loss of face. It extends to share value, brand equity and customer loyalty.
The strict penalties levied by the GDPR are not reflected in other national or regional regulations, but this doesn’t mean international organizations can’t be caught in the jaws of the legislation. Tech giants Google (€50 million) and Amazon (€35 million) have also been hit with significant fines.
Data sovereignty also has a role to play, as any data generated in EU member states is governed by the regulations, regardless of the nationality of the organisation. In a connected world this means any company dealing with the EU is governed by the GDPR. Global organisations that take data protection seriously have found it beneficial to adopt the guiding principles of the GDPR as the basis for their own cybersecurity policies.
Best practice data protection
Effective cybersecurity strategies need to include elements of both prevention (EG firewalls) and protection technologies (EG encryption) if they are to provide a resilient defence against today’s diverse and persistent cyberattacks.
Despite recognition of core encryption data protection competencies such as separation of duties, encryption key lifecycle management and the use of standards-based algorithms, encryption is still not consistently deployed across enterprise infrastructure.
Once again, the GDPR sets a new standard in respect of best practice; mandating that sensitive, personally identifiable information (PII) should be protected by “strong encryption”. In recognition of this, a breach of encrypted data is not deemed an automatically qualifying breach, negating the need for public disclosure.
Evolving global standards
The alarming increase in state-sponsored cybercrime, typified by the recent SolarWinds hack, and ransomware attacks like the Colonial Pipeline incident, are shaping the future of data protection regulations across the world. International groups with deceptively cute names and affiliations to Russia, China, North Korea and Iran have been responsible for some of the most damaging hacks in cybersecurity history.
In the US, the Biden administration has moved quickly in the wake of several high-profile breaches to establish new federal initiatives, covering both government and commercial data security. In addition to making two key cybersecurity appointments to the executive team in the White House, they have announced plans to “draft cybersecurity regulations akin to Europe’s GDPR”. This new stance recognises the serious threat posed by data breaches and cybercriminals to both national security and the economy. It also recognises the evolving legacy of the GDPR as the gold standard for data protection regulation.
Post-Brexit the UK has reaffirmed its commitment to the principles of the EU GDPR, going so far as to add one more to the original 6 data protection principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Happy anniversary GDPR, keep up the good work.