European data protection authorities have received hundreds of thousands of data breach reports since the EU’s GDPR came into effect. From there, they have imposed fines in the hundreds of millions of euros for a variety of privacy regulation infringements. The rise of data breaches during COVID-19 will likely lead to further fines as businesses strive to protect their employees and data as they work from home.
A Quick GDPR Recap
The European Union’s General Data Protection Regulation (GDPR) came into effect in May of 2018 as a replacement to the EU Data Protection Directive. The GDPR bolsters and protects the rights of data subjects by outlining what individuals can expect from organizations that collect their data. The GDPR further outlines how organizations must protect personal data during collection, storage, and disposal.
Organizations must comply with the GDPR if they fall into one or more of the following categories:
- Have at least one location within the EU
- Process or store data about residents of the EU
- Use third party services that process or store information about individuals who reside in the EU
Iceland, Liechtenstein, and Norway comply with GDPR regulations alongside the 28 EU member states of the EU (Britain must also comply with the GDPR until they leave the EU at the end of 2020). While organizations have control over the steps they can take to protect data during intake, storage, and destruction, they’re still vulnerable to data breaches.
The Cost of Not Being GDPR Compliant
Not Meeting GDPR Privacy Regulations
Organizations to which the GDPR applies can be fined up to 4 percent of their annual global revenue or €20 million ($22 million), whichever is greater, for violating the privacy regulation. Further, they face sanctions that could limit their ability to conduct business as usual, including losing the ability to process personal data.
Failing to Report and Alert
Once a breach of personal data is discovered, organizations must alert data protection authorities within 72 hours. Failing to meet reporting requirements can also incur fines of 2% of annual global revenue or €10 million ($11 million), whichever is greater. The fines also apply to organizations that do not have proper security measures in place.
GDPR Compliance Fines
As Bank Info Security noted in January, the GDPR is still new and the fines data protection authorities are imposing are low compared to what they could be, not to mention inconsistent across countries. Experts assume (and hope) that, as data protection authorities and regulators become more familiar with both data privacy violations and breaches, fine amounts may rise and become more consistent across the EU.
Recent fines have included:
- France – Google – €50 million
- England – British Airways – £183 million
- Germany – AOK Aden-Württemberg – €1.2 million
- Croatia – Unidentified bank – €20 million
- Italy – TIM SpA – €27.8 million
Organizations that end up being reported, investigated, and fined for non-compliance tend to be processing too much personal data, leaving their data unsecured, or both.
How to Ensure GDPR Compliance
Protecting the personal data your organization processes doesn’t have to be difficult. With controls in place, as well as organizational policies, you can fully enforce and ensure compliance from the top down:
- Create a procedure to quickly locate and delete personal data about a person
- Simplify your method of safely disposing of customer information when requested to do so
- Ensure you can appropriately audit your records to find all personal data, including any external companies you’ve shared information with
Related Reading: Need Help with GDPR Compliance? 3 Simple Steps to Take Now
One way to meet several data privacy requirements at once – safeguards, audit trails, storage, and limited access – is with a managed file transfer (MFT) solution. MFT protects files both at rest and in transit, and takes on the heavy lifting of any custom programming and scripting used for file transfers.
GoAnywhere MFT helps organizations meet data privacy requirements like GDPR by providing an auditable solution with secure file transfers, encryption, secure file sharing and collaboration, and granular user permissions.
How to Protect Your Data and Prevent a Data Breach
For some organizations, the changes needed to comply with the GDPR drastically altered how data was processed and protected. While it has been in effect for two over two years, organizations are still working out what works best for them from a cybersecurity standpoint.
While there is no failsafe way to prevent a data breach, ensuring your data is secure during transfers and at rest, having insight into how users interact with your files, and centralized control over file transfers is a good start. GoAnywhere Managed File Transfer can help you to comply with the GDPR and protect your organization against a breach.
Schedule a Demo