SoylentNews is people
SoylentNews
Under one in three organisations are fully compliant with the General Data Protection Regulation, despite the privacy legislation coming into force across Europe almost a year and a half ago.
Consultancy firm Capgemini surveyed over 1,000 compliance, privacy and data protection personnel and found that despite three quarters of them having previously been confident about being compliant by the time GDPR came into force in May 2018, that isn't the case in reality and many are still struggling to adhere to the legislation.
Now just 28% of those surveyed believe they're fully GDPR compliant – despite regulators being willing to issue heavy fines.
The UK's Information Commissioner's Office (ICO) has already issued a record fine of £183m to British Airways for what it concludes to be "poor security arrangements", which led to personal data of half a million customers being stolen by hackers in a cyberattack disclosed in September 2018.
"For many organisations, the true size of the GDPR challenge only became apparent as they began the initial projects to identify the applicable data that they held. As a result, only the most focused organisations had completed their GDPR readiness by the time the legislation came into force," Chris Cooper, head of cybersecurity practice at Capgemini, told ZDNet.
[...] The Capgemini survey found that of those organisations that are fully GDPR-compliant, 92% of executives from these firms believe that being so has given them a competitive advantage by enabling them to improve customer trust, customer satisfaction and brand image, with all of this helping to boost revenue.
GDPR-compliant organisations also point to benefits behind the scenes, with around four in five of those surveyed of the opinion that being compliant with data protection regulation has helped improve IT systems and cybersecurity practices throughout the organisation.
"Organisations need to promote a data protection and privacy mindset among employees and integrate advanced technologies to boost data discovery, data management, data quality, cybersecurity, and information security efficiencies," said the report.
[...] "The introduction of GDPR was not a deadline but the start of an ongoing process and there is a lot more work to be done. That said, we will not hesitate to act in the public's best interests when organisations wilfully or negligently break the law," said an ICO statement.
(Score: 3, Interesting) by Pino P on Saturday September 28 2019, @01:06PM (4 children)
From the featured article:
Here's one example: Article 27 [privacy-regulation.eu] requires that if a private sector business outside the EU processes personal data of EU residents in a way that is not "occasional,"* it must hire a representative on EU soil to handle inquiries from data subjects. This service can cost $2,700 per year [verasafe.com], and for a company with less than $2 million per year of worldwide revenue, with the vast majority being domestic and less than $50,000 per year from the EU, this is easily cost-prohibitive. Nor does the regulation define "occasional," and some analysts speculate** that processing that happens for every order that an EU customer places would not qualify as "occasional." So until such time as courts define "occasional," some small businesses outside the EU have chosen to refuse service to the EU.
* For processing to be exempt from article 27, it must satisfy all three of these requirements: 1. "occasional"; 2. does not include the subject's membership in protected classes or criminal convictions; 3. does not harm the subject's legal rights.
** Citations available on request.
(Score: 0) by Anonymous Coward on Saturday September 28 2019, @02:43PM (1 child)
How would EU law be enforced against an American entity?
(Score: 2) by Pino P on Saturday September 28 2019, @09:36PM
If a foreign merchant refuses to pay fines assessed by EU member states' data protection departments, EU member states' customs departments can prevent parcels from reaching buyers in the EU. Or EU member states' financial regulators can pressure payment processors that operate in the EU not to let foreign merchants without a designated representative accept payments from cardholders in the EU.
(Score: 1, Interesting) by Anonymous Coward on Saturday September 28 2019, @02:45PM
All businesses without a legal presence in the EU should, on principle, refuse to trade with the EU. Why comply with the GDPR or collect their VAT without sending them the bill for implementing and running that system?
(Score: 0) by Anonymous Coward on Saturday September 28 2019, @09:21PM
yeah, that stupid shit is not happening and i'm not going through backups to extract and delete jackasses' email addresses either.