GDPR 3rd Anniversary: Be compliant, not complacent

As the EU’s GDPR passes its third anniversary Datapac general manager Karen O’Connor reminds businesses of the importance of being GDPR compliant.

25 May 2018 saw the much-anticipated General Data Protection Regulation (GDPR) come into effect following extensive awareness and educational campaigns from regulators and service providers alike.

The strict data protection regulation, a concern for many organisations in the lead up to its implementation, applies to organisations of all sizes, in all sectors, and carries potentially detrimental fines for those who breach the rules.

“Now has never been a more appropriate time to revisit arrangements to protect personal data, be that from an IT or wider organisational perspective”

It’s poignant that three years on, the Irish Health Service Executive (HSE) continues in its attempt to restore normal service levels following the recent cyberattack inflicted upon it, with those responsible valuing their successful exploit at a hefty $20m. While restoration of normal patient services is the priority, the nation is holding its breath to see what the data protection fallout will be from this notorious Conti ransomware attack.

The double extorsion nature of the Conti attack threatens, as part of its power, to publish confidential patient data protected under the regulation for further exploitation on the dark web, while also demanding a ransom. This serves as a frank reminder that despite GDPR becoming embedded in the contextual fabric of Irish organisations, there is no room for complacency. 

While GDPR is a holistic organisational issue encompassing processes, systems, people and culture, Information Technology (IT) can and has played a pivotal role in the GDPR compliancy journey of Irish organisations. On this, its third anniversary, here’s look at GDPR through the lens of an IT provider to provide some useful guidance for continuing to meet obligations.

Breaches and fines

Lines of code in orange and blue on a screen.

Image credit: Shahadat Rahman, Unsplash

The nature of GDPR calls for compliancy not complacency and should remain a constant concern for organisations. However, the HSE are not alone in failing to adequately protect the personal data with which it was entrusted. To date, the Irish regulator has imposed €715,000 in fines for breaches of GDPR since its introduction in 2018. According to research by DLA Piper, Ireland reported over 6,600 GDPR data breaches to the Irish Data Protection Commission last year, ranking it 6th in Europe and 3rd on a per capita basis.

Applying increasing pressure to organisations, fines imposed by European authorities under the regulations have increased by almost half over the past year, compared to the first 20-month period after GDPR came into force.

Growth in IT managed services

The requirements of GDPR takes us beyond a point-in-time state of being compliant, and necessitates that personal data is continuously protected. This has seen a seismic shift in the IT landscape towards the adoption of managed services over the procurement of point solutions. Organisations need to ensure that the solutions they rely on to protect personal data not only have the capability to control for risks identified, but are correctly implemented and thereafter monitored and managed to ensure the IT investment is continually delivering on its objectives.

The range of services adopted has too expanded with services such as dark web monitoring, vulnerability assessment, business continuity and forensic threat-hunting, enhancing the more traditional productivity and performance-orientated managed services being consumed.  

The impact of changing organisational boundaries

A critical event during the early life of GDPR has been the global pandemic that continues to impact operations for most organisations in some fundamental way. One such way was the requirement for many occupations and organisations to commence remote working in the early part of 2020, a trend that has largely continued to date in Ireland. With less visibility of people and devices, this presents new data protection challenges for organisations, having not long come to terms with the existence of GDPR. 

Much of the initial response to home-working focused on enabling the productivity aspect – making sure employees could work from home by implementing remote communication and collaboration tools. This was, in many cases, followed by a retrospective review to ensure the solutions deployed in haste were secured, monitored and managed. Given the rise in cybercrime and increasingly complex threat landscape, it is more important than ever for organisations to assess the impact of changes made in response to the pandemic if they have not already done so, and this 3rd anniversary of GDPR serves as a prime opportunity. 

Tips for your GDPR journey: An IT Perspective

  • Conduct risk assessments – know what you are trying to control and the consequences of not controlling it before making decisions on IT investments
  • Invest in security controls based on risk assessment priorities – with so many point products and solutions out there, it can be hard to know what to invest in and where to stop spending. Investment decisions should be made by process, not just procurement
  • Don’t forget the human element – invest in awareness training and empower your employees
  • Ensure your solutions continue to deliver by considering how they will be monitored and managed for effectiveness and continued relevance. If you lack the requisite resource or knowledge, then consider enlisting an experienced and highly accredited managed services partner
  • Focus on partnership rather than procurement – have your IT partner at the table when it comes to GDPR and business objective discussions

The 3rd anniversary is a timely reminder for organisations that being GDPR compliant is a continual journey and not a final destination. Now has never been a more appropriate time to revisit arrangements to protect personal data, be that from an IT or wider organisational perspective.

What may seem like an onerous task can not only prevent substantive fines and long-lasting reputational damage, but may deliver additional organisational benefits. Improved data management, a boost to the efficiency of business processes, and ultimately an increase in trust between your organisation, your employees and your customers are just some of the additional benefits that may be realised.

Karen O’Connor is general manager in charge of ICT Services and Solutions at Datapac, a leading Irish ICT solutions and services provider. Established in 1982, it has been at the forefront of technology innovation in Ireland for the past three decades. With offices in Dublin, Wexford and Belfast, along with service locations throughout Ireland, Datapac provides service to leading organisations nationwide.

Published: 26 May 2021