12 GDPR Learnings from 2019
Remember when all those annoying emails from email lists of yore kept clogging up your inbox and they all had the same legalese? Well, it’s been awhile since the flurry of GDPR-related activities worked everyone up into a tizzy, and data regulators across the EU have many field days levying fines on companies large (Google, British Airways) and small (random business in Vienna whose CCTV captured too much of the sidewalk).
From illegally turning on users’ microphones through an app to acquiring a competitor who had a data breach, businesses found themselves in a fine, fine world for not taking the right steps to securing their data.
Here’s a quick recap of what's happened in a GDPR world in 2019 and 12 learnings you can implement from GDPR’s first year.
What's GDPR again?
It stands for General Data Protection Regulation, and it was created to give EU citizens more control over their personal data (as it should’ve been from the get go!).
Under GDPR, companies must ensure that personally identifiable info (PII) data is collected legally (read: with consent) and that the data is properly managed and safeguarded. Otherwise, companies will be hit with steep fines and negative PR (which probably costs more than the fines).
Has GDPR actually been enforced?
Did Tom Ford turn around the House of Gucci?
Companies ranging from Google, who was fined €50 million for collecting personal user data without consent (so much for ”Don’t Be Evil”), to a Spanish football league being hit with a €250,000 fine for using its app to illegally turn on users’ microphones to “catch illegal soccer streams” at various pubs, GDPR has been meting out punishments faster than a nun at Sunday school.
And for those with morbid curiosity, GDPR penalizes companies based on their annual revenue, with security and privacy violations warranting fines of up to 2% and 4% of the companies' revenue, respectively.
So GDPR actually has teeth...my company should be okay, right?
Your company should be fine if you’ve implemented the proper controls and are transparent about how you document compliance.
Note that GDPR applies to you if you process the personal data of anyone living in the EU, regardless of where your company is located. And if you have partners and or customers in Europe, then you’ll need to think about compliance.
And speaking of compliance, here are 12 learnings from the past 12 months that GDPR has been in effect:
12 Learnings aka Must-Dos to Ensure You’re GDPR-Compliant
- Beef up consent and disclosures: EU citizens take their privacy and security seriously (especially compared to US citizens), and will report data violations.
- Update user notices: Privacy is no longer a commercial transaction codified in Terms of Service agreements.
- Apply transparency, documentation, and evidentiary compliance in key operations.
- Ensure your marketing and sales team is actually obtaining people’s info with consent.
- Audit and document lawful and legitimate access to user data. And always, always, always document rationale.
- Implement annual security audits to verify compliance.
- Disclose a breach ASAP: Inform your customers and relevant authorities within 72 hours. As lawyers are wont to say, you want to show that you're mitigating damages as quickly as possible.
- If you aren’t already, use a pen testing service (like Cobalt) to identify unknown vulnerabilities.
- Leverage real-time monitoring tools like Splunk and Sentry to track app performance and activity
- Ensure security awareness training is actually implemented (and not just have staff “interact” with a program that features circa-1998 UX with “gotcha” quiz questions and a timer)
- Conduct vendor risk assessments and audits for all of your vendors and business partners (an automated vendor risk management tool can help with tracking and managing vendors’ security postures)
- Encrypt everything. ‘nuff said.