GDPR year two: Assessing data management processes and compliance pitfalls

Register now

As we move into year two of the GDPR, it’s never been a better time to assess whether your organization is doing the best it can to secure customer data and take a holistic approach to asset lifecycle management.

The GDPR forced companies to determine not just how they are using and storing customer data, but also whether that data is properly secured. Not only does the law put consumers in charge of their own data, it also expands a requirement for companies to inform affected parties of a serious data breach. It also requires organizations to process data lawfully, ensuring each data subject consents for their data to be processed.

In an era of nearly daily reporting on mass data breaches, the GDPR was meant to provide some protection for and awareness to consumers on how their data was captured, shared, stored, and used. The law went so far as to include a requirement for organizations to hire a data protection officer that would “own” the data privacy agenda.

No law or regulation will stop data breaches from happening, but the GDPR and similar regulations should be a wake-up call to businesses—and not just those based in the EU—that don’t regularly review both cybersecurity and data management policies, practices and processes. Actually, data governance and data management go hand in hand when it comes to regulatory compliance, and the GDPR, because it’s far simpler to protect sensitive data when you know where it is, how it’s stored and the rules by which it’s governed.

Data breaches continue to pose a profound privacy problem

According to the 2019 Verizon Data Breach Investigations report, more than 40,000 security incidents and over 2,000 confirmed breaches occurred in 2018, of which 32 percent were phishing-related. While the numbers have lessened somewhat from 2017, when 53,000 incidents occurred, cybercrime still has far reaching consequences for businesses around the globe.

Moreover, costs associated with data breaches continue to grow year after year. And a recent study by IBM cites the price tag of breaches to U.S. businesses in 2018 was, on average, $7.91 million, which doesn’t include the potential for GDPR-related fines.

According to the GDPR, all companies -- including those in the U.S. who do business in the EU -- that fail to report a data breach to EU regulators can be fined 2 percent of their global revenue. If regulators find more fundamental GDPR security violations, such as ineffective cybersecurity measures, they can levy fines up to 4 percent of global revenue.

For a small- to mid-sized U.S. company, the financial hit could be disastrous. For a large enterprise, such as a global Fortune 500/1000 company, the negative impact on brand reputation can be just as devastating.

Data breaches can have consequences long after the initial problem as well. Take the massive Equifax data breach, for example. First reported in 2017, it affected more than 143 million people around the world, including 19,000 Canadians. Two years later, the fallout continues.

Canada’s Commissioner Daniel Therrien recently deemed that Equifax’s lax data management processes exacerbated the breach. He cited the company’s poor security safeguards, long information retention, inadequate consent procedures, a lack of accountability for Canadians’ information and limited protection measures offered to affected consumers after the breach. As a result, Equifax Canada and its U.S.-based parent company were forced to enter into a compliance agreement and have taken expensive steps to improve their security, accountability and data destruction.

Beware of lingering consumer data

As organizations revamp their data management and cybersecurity policies and processes to meet privacy regulations, they must also consider what to do with used, but no longer needed, hard drives and other data storage devices.

It’s important to keep in mind that old drives may harbor consumer data that could infringe on consumers “right to erasure” as granted by the GDPR. Therefore, any personal data on unused hard drives must be securely sanitized for a company to remain GDPR-compliant.

Enterprise IT organizations need to be cognizant that consumer data might be lurking on a number of devices across the business, including: storage drives in data centers, desktop computers used to process customer data, and smart phones or tablets used to share or collect customer data. Even cloud services from third parties used to store collected data could be a threat to an organization’s ability to remain compliant with privacy data regulations and laws.

Return material authorization (RMA) hard drives are another challenge for data center operators. Difficulties arise when agreements to return drives to the manufacturer are breached because organizations are hesitant to return drives that still contain sensitive customer and corporate data. As a result, enterprises are holding onto these drives, incurring penalties as a result.

Never too late for a data center ‘cleanse’

Organizations should make the data center clean-up process a top priority to address the growing global focus on consumer data privacy, taking stock of whether their data management processes and policies are aligned with current laws regulating the use and storage of consumer data. Operators should also update their routine data center maintenance to take into account both HDD and SSD end of life processing to prevent any new build ups of drives and data, and hence, risk and liability.

Not only will their customers’ privacy concerns be respected, costs will be reduced, along with the potential for penalties. Companies that take consumer data privacy seriously will also be better positioned to weather future changes in privacy regulations.

For reprint and licensing requests for this article, click here.