You may also like
Europe’s General Data Protection Regulation (GDPR) legislates for data protection and privacy for all individuals in the European Union or European Economic Area
A year on from GDPR, compliance still patchy in Europe
Europe's General Data Protection Regulation (GDPR) was introduced in 2018 with much fanfare, yet many companies have decided to risk penalties rather than undertake the hard work of compliance.
When Europe’s GDPR came into effect in May 2018, much of the public focus was on penalties ranging into the tens of millions of Euros that businesses potentially faced for non-compliance.
The general assumption was that corporations who have - for many years - been processing people’s personal data would act quickly to get their houses in order.
With that in mind, Georgios A. Korellis, a managing consultant at Baker Tilly’s South East Europe-based Specialist Consulting Solutions, says it’s surprising how many businesses he still sees that are either just paying the GDPR lip service or (in a small number of cases) giving it no regard at all.
Specialist Consulting Solutions is the latest addition to the Baker Tilly South East Europe team. Consultants there argue that a year on from the introduction of GDPR there remains a divide - between organisations that it classifies as ‘committed to compliance’, those who fall into the ‘bare necessities’ category and those who belong in the realm of ‘conscious avoidance’.
“Organisations in the ‘bare necessities’ mould appear not to believe in the seriousness of the regulation and typically complain that the GDPR is imposing additional regulatory and financial burdens, without the enforcement ‘teeth’ by regulators,” Korellis explains.
“This – in their perception – results in unfair competition, stemming from the fact that other organisations in their industry do not even try to comply. That allows those non-complying organisations to have a lower cost base and not to be constrained by what they perceive as ‘bureaucratic’ requirements with little commercial reality or substance. Whilst such complaints are not without merit, they are unlikely to prove a strong-enough defence if a Privacy Commissioner decides to focus their attention to an organisation’s privacy practices.
Despite the hefty fines that business can face for non-compliance, Korellis sees significant opportunities towards compliance.
“The ‘conscious avoidance’ group has simply decided not to invest any money or resources at all in being GDPR-compliant,” he says.
“They seem to hold the view that this is all just Brussels bureaucracy and until such time as the data protection commissioner of the country in which they are based takes a tougher stance or attacks them individually, they shouldn’t do anything.
“From our perspective, the size of fines has still not made a noticeable impact to those that otherwise do not believe in compliance.”
But there are signs that even the biggest multinationals are now having to give considerable thought to the implications of the GDPR.
Google, fined €50m for data violations in January by France’s regulator, is now under investigation in its new European home of Ireland, where Facebook also bases itself.
Businesses around the world have admitted to falling behind with data privacy requirements and having to look for external resources to help keep them on track.
Korellis says there is now what he terms a ‘GDPR round two’ as organisations realise that what they’ve done so far has not reduced their risk profile enough – and that they need specialist help to take real action.
“Organisations are suddenly coming to the realisation that their previous efforts were too narrow in their scope and that risks, rather than being reduced, have typically increased,” Korellis says.
“To this end, we are finding that there is a shake-out process which is pushing ‘me-too’ advisors and consultants away from the market, or at any rate diminishes their relevance and desirability by organisations who desire to seriously tackle privacy deficiencies and risks.
“As a result, organisations are turning to specialist consultants, with proven experiences, and are re-evaluating their efforts to date and revisiting their current state of compliance.”
Although Korellis believes there had been a strong focus on ‘perimeter safety’ to ward off the threat of external intrusion, organisations are still not paying enough attention to ‘inside risk’.
That line of thought was echoed by Baker Tilly Netherlands’ Bert van der Leeden, who believes a combination of human factors and physical documentation pose hard-to-avoid GDPR risks.
“What I see is a very big risk is the unstructured data …we still have paper in our offices,” says van der Leeden.
“The real risk is in services we have, which are cloud applications, and where we have evaluated the supplier and the software from A to Z and done all kinds of work to have an agreement with them.
“The problem would come if someone was to print out any information from those services. Then you also have unstructured data in emails, even though we have encrypted software for sending it.
“If our people are not adhering to policies, then there’s risk.”
Van der Leeden believes it is vital businesses are able to demonstrate a commitment to meeting GDPR obligations, not only for the sake of compliance but also to protect their reputations.
In the worst-case scenario of a violation of regulations, this requires being able to demonstrate a genuine response to remedy the situation.
“We’re in the business of providing trust – we don’t want to be in the news with a data breach,” van der Leeden says.
“The first question the APG (or data regulator) in the Netherlands will have is ‘what’s the seriousness of this mishap?’ The second thing that the APG does is to look into what you have done.
“How did you correct the situation? How did you follow up? What is the follow-up that you instantly made so there is no other breach of privacy?
Baker Tilly continues to work with its clients across Europe — and beyond — to help develop their GDPR compliance and ensure they have the right processes in place to deal with data protection and potential breach.
But it is a continual battle, he says, and can’t be a matter of set and forget.
“You will always need to review what you have done and where you are at the moment, and make changes if you need to,” van der Leeden says.
“It’s part of the plan-do-check-act cycle – you will simply need to evaluate these policies every year.”