The EU General Data Protection Regulation (GDPR) changed the landscape of data privacy regulation and made it the most secure it has been in 20 years. It completely alters the way data is handled across every sector and creates a strict set of regulations that businesses need to follow, but are businesses making it a priority? And if not, why not?
I spoke with Michael Zurcher, Global Privacy Officer and Senior Director at Iron Mountain about how things have changed since the implementation of GDPR. This article outlines a GDPR overview and why it should still be a priority for business leaders and their organizations.
Zurcher said if we take a look at the bigger landscape on the enforcement side, not much has changed.There have been about a half a dozen enforcement actions that have taken place since its gone into effect.
The highest fine that enterprises have seen so far was a hospital that was fined 400,000 Euro in Portugal. The hospital was fined because it failed to restrict access to patient data stored in its patient management system. Concerns arose about the lack of controls related to data access in April 2018. After an audit was conducted, they uncovered that 985 hospital employees had access to sensitive patient health information and only 296 physicians were employed by the hospital, according to HIPAA Journal.
The fines and penalties that many companies feared when GDPR came into effect haven’t really taken place. Zurcher stated that GDPR was never really about the fines, but more about having organizations understand that privacy is important, “the old regime did not give regulators a tool.”
While it may be a relief that significant fines haven’t occurred, there is still a lot of ambiguity surrounding GDPR. Regulated industries have an increased focus on privacy, security, and compliance in general. Now, questions that clients ask are more sophisticated so they can ensure their bases are covered and that they’ve done their due diligence.
According to Zurcher, only about 10% of his customers, maybe even less, that are exposed to GDPR have made the necessary changes to be compliant. The ability to respond to requests from individuals has created a significant amount of challenges because it’s not “business as usual,” yet. Unless organizations have control over their records management, it’ll be an even more daunting task.