2018 brought about a major shift and more clarity in the world of individual data privacy. May marked the one-year anniversary since the European General Data Protection Regulation (GDPR) was introduced. The regulation was an attempt to unify the existing legislation put in place by individual EU member states. GDPR is designed to guide organizations in protecting the personal data of EU citizens and covers any data that could feasibly be used to identify an individual. This could include medical records, genetic information or economic information – these elements are the target of a data breach.
The GDPR required all businesses to report certain types of personal data breaches to the relevant supervisory authority. The regulation indicates that you must do this within 72 hours of becoming aware of the breach, where feasible. It’s interesting to see how effective the new regulation has been and where do organizations stand when it comes to GDPR compliance. Let’s have a look at the fate of businesses under GDPR regulation since it was introduced.
Poor Board-level Awareness
Front-page headline-grabbing fines indicate organizations are characterized by poor board-level awareness, lack of data management priority, have untrained employees, and keep postponing or ignoring security investment. In the three months since GDPR was introduced, the Information Commissioner’s Office (ICO) said it had found evidence of being unprepared, or lack of willingness on the part of senior executives to disclose sensitive data to blame for uncooperative breach notifications. If you struggle to make the case for cybersecurity in front of your board, my colleague wrote a blog on how to talk about cybersecurity in your organization.