Why it is needed
The GDPR Scope
The scope of GDPR is broad, covering not only the handling, processing, storing, and communication of personal data but also trace data that—when combined with other observable information—might expose the personal information of an EU resident. This creates a complex set of challenges for data privacy teams who, despite their best efforts, will never be able to protect their businesses from every threat on the digital horizon.
No security system can ever be airtight. In addition to hackers and other attacks that constitute an intentional threat to the businesses they target, human error, and accidental information security breaches are also common.
Even the loss of equipment on which personal data was stored, or an email sent where recipient lists can be viewed, constitutes a data breach.
The question is not whether such incidents will occur or not, but when they occur, and how they can be managed effectively once they do. The risks for improperly managing a privacy breach are high, and they are only getting higher.
GDPR is only in its second year and fines have reached about half billion euro by June 2020 (click here to check out the fines updated on a monthly basis). In 2019 and 2020, the fines levied against EU businesses increased dramatically per violation, with companies like Cathay Pacific, Equifax, British Airways, Marriott, and Facebook incurring hundreds of thousands, to hundreds of millions of Euros in penalties.
In addition to the financial penalties, each violation has a negative impact on the reputations of the companies involved. This often leads to a serious lack of trust among consumers and additional profit loss.
According to GDPR guidelines, businesses need to report data breaches to national supervisory authorities within 72 hours if user privacy has been compromised. And yet, the average time for companies to identify they had been a victim of a data breach in 2019 was 60 days, with 93% unable to specify the impact of the breach or the impact at the time it was reported.
Businesses that fail to properly assess data breaches, or fail to properly report these incidents, face a range of penalties (varying by country) that include:
- Compliance orders regarding data subject requests
- A requirement to communicate breach details directly to the data subject
- A ban on certain processing activities or restrict them
- Fines up to €10 million or 2% of the company’s global turnover
- Civil lawsuits filed by individuals affected by the data privacy breach
Moreover, all data breaches (also those that are non-reportable) need to be recorded in the establishment’s data breach register, together with its effects and the remedial action taken, in order to demonstrate compliance with GDPR. Most companies are not aware of that obligation at all!
An investigation by Redscan in 2019 concluded that less than a quarter (45 out of 182) of businesses examined are compliant with current GDPR requirements.
This is because data privacy professionals lack the tools they need to assess the risk of privacy incidents and manage their team’s response to each incident. Without the proper tools, it is very difficult for data privacy teams to respond to breach incidents effectively and within the timeframe required by GDPR.
In some cases, privacy teams may even encounter a reluctance to report incidents at all for fear of the consequences. All of these scenarios represent an unacceptable risk for businesses operating within the EU, or for those that store the personal information of EU residents.