Mike Kiser, Global Strategist and Evangelist, SailPoint paints a picture of ‘GDPR by numbers’, taking a look at the most significant breaches and fines so far. He questions what this means for privacy – is the job complete or can we expect further waves of regulation to come?
Today marks the first anniversary of the EU’s General Data Protection Regulation (GDPR). Europe’s data privacy regulation shook up the privacy world by imposing penalties for some of the strongest consumer protection laws of the last 20 years and inspired even stricter laws in other parts of the world.
GDPR created a single breach-notification regulation for the entire EU with the goal of protecting personal data of EU citizens.
So, how are organisations fairing under GDPR? So far, there have been over 64,000 breach notifications, and regulators in 11 European countries have imposed $63 million (or £49 million) in fines. And these are just the first signs of a large wave to follow.
With only 29% of EU organisations GDPR compliant, the breaches and fines will continue to happen. This reminds us that our identities comprise not just our attributes, but all personal data that relate to us. Today, we’ll explore three GDPR cases and how the right identity governance strategy can help meet requirements in a sustainable and cost-effective manner.
Also of interest: Busting GDPR myths
Taxa 4x35, Denmark, recommended $180,000 fine
One of the primary objectives of the GDPR is privacy: the protection of personal data. That means the spotlight is now focused on how organisations process, store, and secure personal data. A key component of this: getting rid of data that you don’t need.
But in Denmark, Datatilsynet recommended fining the taxi company Taxa 4×35 nearly 1.2 million in DK ($180,000) for failing to delete records (customer phone numbers) on 9 million taxi rides after they became unnecessary.
Here’s where identity governance can help. A solid identity governance strategy provides visibility to personal data: what personal data is being stored, who is responsible for it, and who can access it.
It also puts in controls and protections in place by removing personal data that has expired. To avoid a GDPR fine, the taxi company needs to put safeguards in place that deletes data following a specified time period, in this case deleting phone numbers after the ride was over not holding onto this customer data for five years.
Hospital, Portugal, $446,700 fine
When it comes to GDPR, organisations must “design in” measures to ensure data protection compliance. After determining that a hospital in Portugal was allowing patients’ medical data to be accessed by non-medical staff, the result of an oversight within their IT department, two fines were imposed for a total of €400,000 ($446,700) because of their “failure to put in place appropriate technical and organizational measures to protect patient data.”
With identity governance, organisations can strengthen controls by providing centralised visibility into the access control models for all resources storing and processing personal data, assigning data owners to all resources containing personal data, and automating review of access rights across all resources containing personal data.
The violations the hospital was fined for could have been prevented if they had an identity governance platform in place to help centralise the view of users’ access and thus ensure that the right people had the right access to the right data.
Also of interest: Five key considerations for CISOs that are easily overlooked
Hotel, EU, investigation ongoing
Under GDPR, organisations are required to report data breaches from 72 hours from the time they became aware of the breach to report it. Enter in a high-profile case of a large hotel chain, which has been ongoing for several years, but it is a good example to show what will happen if you don’t report a breach in a timely manner.
A data breach impacting 500 million hotel customers was discovered in September 2018, with some saying the breach has been ongoing since as early as 2014. This incident was not disclosed until late November of 2018, far outside the 72-hour window for disclosure set by GDPR. The penalty? Up to $915 million.
Identity governance is put in place to help notify data owners and managers of any violations or anomalies in the access of sensitive data, and to automate remediation when violations are detected. If the hotel had something in place to detect the breach on the onset, it might have avoided the potentially massive fines that may result from missing the reporting window.
Also of interest: Should algorithms decide our fate?
Identity at Play: Security Is a Marathon, Not a Sprint
By looking at the taxi company, the hospital and the hotel, it is clear that the only way to maintain GDPR compliance and data protection is to automate as many identity and access management tools and security audit processes as is reasonably possible.
From these cases, it is imperative that automation is a vital component when processes must be repeated regularly and responses need to occur in real time.
With one year under its belt, it doesn’t look like the GDPR is going anywhere anytime soon. By assessing risks with identity governance at the forefront, an organisation can create a roadmap to prioritize and remediate the most pressing regulatory gaps, and thus effectively control and secure the organisation’s data.