How Well Are We Adjusting to GDPR?

Enough time has passed since the General Data Protection Regulation (GDPR) came into effect, allowing GDPR-relevant people whose personal data is being collected, held or processed time to exercise their rights and clear their inboxes of privacy-update emails. For Data Protection Authorities (DPAs), the past few months have yielded a list of companies suspected of not meeting GDPR-mandated requirements, primarily due to data-subject complaints, data-breach violations by the data controller and data-breach violations by subprocessors. Being placed on the investigation list is a fear for global companies because of the potential to incur very strict fines and the risk of a negative impact on the company’s reputation.

The data-subject rights mandated by GDPR expose how companies are able to eradicate, amend and summarize specified personal information while also providing services tailored to data subjects who do not authorize their consent. If a data subject decides to exercise his or her rights and the company cannot meet the GDPR requirements, the company is in violation and may be placed under investigation.

Besides the failure to fulfill requests for data-subject rights, companies face the threat of DPA investigation when the data controller fails to notify the correct supervisory authority, or the data processor fails to notify the respective data controller, within 72 hours of validating a data breach. This issue is more widespread than one might imagine, as over 1,100 failure-to-notify alerts and data-subject complaints were reported to the U.K. information commissioner’s office during just the first few weeks GDPR was in effect.

The EU member-state report noted that Ireland received the highest number of criticisms, with 547 data breaches and 386 complaints. Sweden, by contrast, received only two complaints. (The discrepancy in the number of reported complaints each EU state receives is dependent on factors such as citizen awareness and perception, resource availability, and even method of complaint.)

In addition to providing data subjects the right to file a complaint with a DPA, GDPR offers the private right to action, which includes enacting class-action lawsuits against corporations, a method of exercising rights that was not previously available. Allowing data subjects to bypass the DPA and develop a group lawsuit significantly increases the impact of one complaint and creates power in numbers.

As time passes and the novelty of the regulation subsides, global companies will be able to further gauge the necessity of making preparations and taking precautions, recognize the primary violation channels, and realize what it will take to meet GDPR requirements going forward.

Tap into Protiviti’s GDPR resources and bookmark the page for future updates.

Katie Stevens

Director
Technology Consulting – Security and Privacy

Teri Dye

Senior Consultant
Technology Consulting

Subscribe to Topics

Learn to better manage your data and safeguard your privacy in a world of breaches this Data Privacy Day – January 28. Find out all the ways you can get involved at http://ow.ly/KESt50Df0sN
#PrivacyAware #dataprivacy

Want to reduce your operating costs and improve customer experience whilst still meeting #AML and #CTF regulatory obligations? Register for our presentation on January 27th today!
http://ow.ly/ScaC50DcVbB #KYC #CustomerExperience #ProcessEfficiency #ProcessMining

Oracle’s latest release (20D) for #RiskManagementCloud was published on Oct 28, 2020. To enable organizations to take advantage of the updates, our #TechnologyBlog explains key changes specific to Risk Management Advanced Access Controls
http://ow.ly/YnFt50D7XrM #Oracle

January 28 is Data Privacy Day and Protiviti is proud to be a Data Privacy Day Champion. Learn how @Protiviti experts like Manisha Agarwal-Shah can solve your key challenges with our data privacy consulting solutions http://ow.ly/lhHZ50DeRST #privacyaware #dataprivacy

What does #resilience mean for your organization? A key first step is understanding the attributes of a #BCM or Operational Resilience program. Learn more at http://ow.ly/tVsp50DcVab
#businesscontinuity #businesscontinuityplanning #operationalresilience #bankingindustry

Load More...