When it was passed into law last year, the EU GDPR was heralded as a landmark for data protection and privacy around the world. The Washington Post went so far as to say it was one of the ‘seven global events to be thankful for’ in 2018.
Following in GDPR’s footsteps, lawmakers across numerous territories are exploring the creation, or are even getting ready to enact similar regulations to protect their own citizens – California, New York, Australia, Brazil and India being the most notable.
However, regulations can only ever be as effective as those who are enforcing it, and there has been considerable variation across EU countries.
Therefore, it is worth considering which countries have so far proven their commitment to carrying out their GDPR duties – and which nations appear to be lagging behind. With a maximum fine of up €20 million, looking at which countries are handing out the biggest penalties is a good place to start.
Who’s giving out the biggest fines?
Bulgaria is the only other country to have issued a fine of more than one million euros for GDPR violations, having given the National Revenue Agency a €2.6m penalty for not having sufficient measures for ensuring information security.
Since coming into force in May 2018, there have been several significant fines handed out to those businesses that have violated GDPR. For instance, British Airways was fined £183m for insufficient technical and organisational measures to ensure information security, while Marriott International received a £99m penalty for the same reason.
The Facebook breach one year ago unfortunately continues to shine as the nightmare of all reported privacy breaches and violations. Facebook not only lacked the necessary controls to protect personal data, but it was pointed out they exercised wilful neglect where they knowingly processed personal data without consent.
More recently, regulators in both Germany and Austria have announced large fines for organisations violating GDPR. The Austrian Data Protection authority penalised the Austrian Post €18m for creating and selling the profiles of more than three million citizens without consent. Meanwhile, Deutsche Wohnen SE has been forced to pay €14.5m after the Data Protection Authority of Berlin fined the property company for issues around the storage and deletion of tenants’ personal data.
Don’t just follow the money
As can be imagined, there have been far more prosecutions for GDPR violations than just the handful of landmark rulings above. After all, the law is designed to protect the personal information of EU citizens that is being used by nearly every company that does business within the continent. As not all of these conform with the GDPR, many expect to see each country receiving significant numbers of reported violations. However, this has not been the case.
According to the DLA Piper GDPR Data Breach Survey, as of February 2019 the country with the most reported violations was the Netherlands with 15,400. This is considerably more than both Germany (12,600) and the UK (10,600) and dwarfs the number in France, where only 1,300 violations were reported. The Netherlands remains ahead of its European partners when population is taken into account, with Ireland and Denmark also topping the list. Along with France, Portugal, Spain, Romania, Greece and Italy had the least amount of reported violations per capita.
What is behind such a variance in these numbers? Firstly, one needs to consider how much the citizens of each country know about GDPR, as they are only likely to report violations if they are aware of what one looks like. Figures from the EU’s Special Eurobarometer 487a show that citizens of the Netherlands have the second highest awareness of GDPR, with only 13 per cent not knowing what it was. This could account for the high proportion of violations being reported. At the other end of the spectrum, only around half of the population of Italy (50 per cent) and France (55 per cent) knew what the law was.
There could also be a correlation between the number of reported incidents and how proactive organisations have been at implementing effective solutions for detecting and reporting incidents. Therein lies a significant issue with GDPR. There is almost a complete reliance upon businesses being able to detect incidents and then put their hands up to disclose these to the regulators.
By now, most companies will at least believe they are compliant with the GDPR, yet stories about the latest data breaches continue to appear in the media. Many of these are due to basic security flaws that are only likely to come to light after an incident has occurred and been reported. Only then will a regulator discover that an organisation has not been meeting the compliance requirements.
Continuous compliance is the key
To ensure they do not fall foul of the regulators, organisations need to look to implement continuous compliance and oversight. This will ensure that they will always have an accurate view of their current risk and compliance levels and will enable them to report back any issues to regulators within the legislated 72-hour time period. Carrying out an audit just once a year is almost guaranteeing an investigation by the regulator.
Information assurance professionals can more effectively mitigate the risks through the use of continuous monitoring activities. Put on your security professional hat and obtain visible support of executive leadership, implement the continuous monitoring and oversight capabilities, ensure that compliance with all legal requirements is the norm and, most of all, keep an eye on all your vendor and supply chain. Stay ahead of hackers and ahead of auditors as your core businesses model morphs into the unavoidable risky installations (on premise, off premise, cloud, etc.).
Implementing a continuous compliance program requires putting in place policies, procedures, best practices, measurement and oversight for both internal operations and third parties. While having oversight of all the disparate components of an organisation might seem like a lot of work, it can be greatly aided by automation. Automated, continuous control monitoring presents a single, unified view of the entire network that will help minimise the chances of human error and the potential for risks being overlooked.
Through continuous compliance, organisations can make sure they do not become another one of the GDPR enforcement statistics whatever country they happen to operate in.
Fouad Khalil, VP of Compliance, SecurityScorecard