GDPR compliance: where are we now?
More than a year has passed since GDPR was introduced on May 25th 2018. Significant time, money and other resources went into preparing for the regulation, with one study estimating that global organisations spent an average of £1.17 million each on GDPR compliance.
While I was writing this article, the Information Commissioner’s Office (ICO) announced two headline-grabbing fines. On Monday, the ICO published a notice of intention to fine British Airways more than £183 million for a breach last year. Meanwhile, international hotel group Marriott could be hit with a £99.2 million penalty after hackers stole personal data from approximately 339 million customers.
.@ICOnews Commissioner Elizabeth Denham on why she’s going for record-high #GDPR fines against British Airways & Marriott: “This is not a charity. This is a large business that you’d expect would take care of personal data.” @WSJCyber https://t.co/tztiLQ6uEE
— Catherine Stupp (@catstupp) July 10, 2019
So, are organisations currently meeting their data protection obligations? And what GDPR challenges remain on the horizon? To answer these questions, let’s take a look at recent research and insights that explore the effects of the regulation.
Are businesses fully compliant?
In 2018, TrustArc published a survey that showed just 20% of companies believed they were compliant with the regulation.
The poll, which was conducted one month after the deadline passed, revealed more than a quarter (27%) hadn’t even begun the implementation process yet. While 74% of respondents expected to be compliant before the end of 2018, 7% admitted they wouldn’t be ready by the close of the following year.
Has the situation improved? There appears to be no figures from the last few months, but Cisco published corporate compliance levels in January 2019.
According to the report, 59% of organisations were meeting all or most of their GDPR regulations at the beginning of this year, and a further 29% expect to achieve compliance by 2020. However, 9% admitted they aren’t ready yet and said it would take longer than a year to get there.
The figures are roughly in line with the TrustArc study, suggesting some firms are still struggling with storing and protecting their data, despite the risk of sizeable fines. Speaking of which …
Were GDPR compliance fears warranted?
The prospect of multimillion-euro fines for GDPR data breaches was never far from the media headlines in the lead-up to implementation day. A maximum penalty of €20 million or 4% of annual revenues dwarfed the ICO’s existing fine of up to £500,000.
So, was the media scaremongering well-founded? It would seem so, given the ICO’s recent announcements regarding BA and Marriott’s GDPR infractions. Previous to that, Google had already been hit with a €50 million fine earlier this year. French regulator CNIL delivered the punishment after it ruled the search engine firm had lacked transparency and consent measures for its personalised ads.
Google’s revenues topped $100 billion (€87.3 billion) in 2018, so the decision didn’t come close to approaching 4% of the company’s annual revenues. Nevertheless, these early outcomes show regulators in the UK and across Europe are taking GDPR seriously and will hand out more than just nominal fines if breaches are particularly egregious.
A DLA Piper survey from earlier this year revealed more than 59,000 GDPR breaches were reported within the first 8 months of the regulation’s implementation. The UK was Europe’s third most prolific notifier, informing supervising authorities of approximately 10,600 breaches. The Netherlands (15,400) and Germany (12,600) were first and second.
Over 59,000 data breach notifications have been reported across the European Economic Area by public and private organizations since the #GDPR came into force on 25th May 2018, according to our GDPR #DataBreach survey https://t.co/vMf6AV44jH pic.twitter.com/ApB4VeOqjp
— DLA Piper (@DLA_Piper) February 5, 2019
How has GDPR affected hiring?
Our 2019 Security Market Report suggested organisations were confident in their level of staffing with regards to GDPR implementation. Only 9% of employers said they had inadequate human resources to cope with compliance in this key area.
Nevertheless, at Barclay Simpson, we have seen the data protection market experience a resurgence, with GDPR and the Data Protection Act 2018 heightening demand for experienced candidates. This has resulted in companies approving substantial pay increases for existing staff to prevent them from leaving and stretching their budgets to attract the right talent in a competitive market.
Our experiences seem to reflect a wider pattern in security recruitment. New research from the International Association of Privacy Professionals (IAPP) estimates that European organisations have registered 500,000 additional data protection officers (DPOs) within the first year of GDPR’s implementation.
“GDPR marked a sea change in organisations’ approach to privacy and data protection. Companies have integrated data protection into their governance structures and embraced the demands for accountability in GDPR,” said the association’s CEO, Trevor Hughes.
What will happen next?
There is still clearly some way to go before organisations are fully compliant with GDPR. The Cisco figures suggest nearly 1 in 10 businesses won’t be compliant more than 18 months after the regulation’s introduction – and compliance is just the first step in a longer data protection journey.
— Cisco (@Cisco) 24 January 2019
Elizabeth Denham, the UK Information Commissioner, said the greatest change GDPR could make is better accountability. In a speech at the Data Protection Practitioner’s Conference in April, she claimed the regulation has moved the data protection profession away from box-ticking and towards a greater understanding and mitigation of risk. In theory, at least.
“I’ll be honest, I don’t see that change in practice yet,” she admitted.
“I don’t see it in the breaches reported to the ICO. I don’t see it in the cases we investigate, or in the audits we carry out. And that’s a problem because accountability is a legal requirement. It’s not optional.”
Ms Denham claimed the next phase of GDPR compliance requires data protection professionals who are legal experts, business analysts, marketers, coaches and stakeholder network-builders.
“It’s quite a skill set to be a data protection professional these days,” she concluded.
Finding the right people to raise the data protection bar
The cyber and information security recruitment market is active and competitive due to skills shortages both in the UK and across the globe. High-calibre talent has never been more in demand, and 57% of security departments told us they are inadequately resourced to tackle the challenges they face in 2019 and beyond.
Our Security Market Report revealed that 27% of professionals switched jobs in 2018, up from 19% the previous year. This suggests candidates are willing to make the move if offered the right incentives, with the average salary increase for changing organisations reaching 17% last year.
Salary is not the main driver of movement within security roles, however. Our figures show that 55% of professionals accepted a new job for career development reasons, while 18% wanted a better work-life balance.
To attract and retain the best data protection professionals, employers must gain a sophisticated understanding of the market and what motivates candidates – or find a recruitment partner who can help. If you would like to discuss your security hiring needs, please contact me on 020 7936 2601 or via email at firstname.lastname@example.org.
Our 2019 Market Report combine our review of the prevailing conditions in the security & resilience recruitment market with the results of our latest employer and candidate surveys.
Image credit (Main): Samuel Zeller via Unsplash