Law firm DLA Piper recently published a report detailing the results of a Data Breach Survey following the introduction of the EU General Data Protection Regulation (GDPR) on 25th May 2018.
The survey revealed a number of interesting findings including:
- There have been more than 59,000 personal data breaches notified to regulators in the first eight months since GDPR was introduced
- The Netherlands, Germany and the UK had the most data breaches notified
- When weighting to take population into account, the Netherlands had the most breaches notified per capita
- There have been 91 reported fines under the new GDPR regime
- Google’s €50 million GDPR fine is the highest to date
While the number of fines is relatively low, DLA Piper comment that regulators have a large backlog of notified breaches and have focused their efforts on high profile breaches. This therefore means that many organisations are still waiting to hear back about whether any action will be taken against them.
The numbers show that organisations are clearly aware of the risks for not notifying regulators of any breaches, but are they doing enough to prevent the occurrence of breaches in the first place? GDPR compliance requires ongoing management, which can be complicated and resource intensive. 3GRC’s cloud-based Platform simplifies and streamlines the process and contains many adaptable features to help organisations keep on top of and improve their GDPR compliance. 3GRC recommend the following approach:
GDPR readiness assessments
Don’t be fooled into thinking you are done with these. The 3GRC GDPR readiness assessment is designed to assist organisations with understanding and identifying how they compare with the GDPR regulation. Whether you are already compliant or need to work towards compliance, this assessment is extremely useful for both internal and external use. They work particularly well when assessing a third parties’ compliance and when reassessing your own compliance status as you process and acquire new data.
Identify and organise risks
The 3GRC Platform automatically identifies and maps where sensitive and critical data exists within your organisation helping you to stay compliant as an ongoing exercise. It indicates and categorises risks that are present internally and externally, by assigning a risk score, which when analysed reveals the risks that are a larger threat and therefore should be prioritised. The Platform allows you to set and delegate realistic deadlines which can be easily monitored and updated as you work towards improving your compliance status.
Actively monitor your third parties
The GDPR places obligation on both data controllers and processors, meaning that if a third-party processor is non-compliant, this affects your organisation. The 3GRC ‘relationships’ function allows you to map relationships between entities, assigning custom attributes which allows you to monitor visually, exactly who is viewing, using and shifting your data, and even how much data is being transferred. This not only gives you the ability to completely control the use of your data, but also to recognise where breaches may affect you. The Platform enables users to distribute policies, communicate informally and measure risk scores of third-parties, ensuring you are always in control.
Audit trail protection
Some areas of GDPR are left very much to interpretation, meaning organisations need to minimise this risk as much as possible. 3GRC’s Platform collates all GDPR related information, including data, actions and reporting, storing it in one place. This means that if a breach were to occur, evidence is readily available to demonstrate your organisation took the appropriate measures to monitor and control compliance.
Data Protection Impact Assessment (DPIA)
GDPR states that data privacy impact assessments are required to assess whether project or asset implementations need to be considered for GDPR procedures. The DPIA, available within the 3GRC Platform, evaluates the origin, nature and severity of potential risks and then provides recommendations to mitigate identified risks ensuring constant compliance. An effective DPIA will allow organisations to identify and remediate issues at an early stage in a project or asset implementation, reducing the associated costs and reputation damage which might otherwise occur.
Contact us today for more information on 3GRC’s Platform and how we can help you achieve ongoing GDPR compliance.