Despite GDPR being in place for over a year, and CCPA being rolled out in January this year, some organizations have not been able to change their data handling practices accordingly. Since the enforcement of GDPR, there have been over 160,000 personal data breaches within the European Economic Area, and failures of data governance trigger the most fines and penalties. Based on findings in the recent 2020 Netwrix Data Risk & Security Report, there are five worrisome compliance practice gaps that can incur high costs.
By Ilia Sotnikov, VP of Product Management at Netwrix
Problem #1: Organizations that are subject to the GDPR collect more customer data than the law permits.
Organizations are definitely not going for minimalism to honor GDPR’s data minimization mandate. The GDPR’s Article 25 requires the controller to ensure that only personal data, which is necessary for each specific processing purpose, is collected and processed. If an organization stores more personal data, it’s misleading customers.
However, the majority (61%) of the organizations surveyed say they store more personally identifiable information (PII) than they should. So they can share the fate of Deutsche Wohnen having to pay €14,5 million fine (approximately US$15.9 million) for issues around the storage and deletion of tenants’ personal data.
Problem #2: Organizations subject to the GDPR and CCPA don’t categorize personal data they gather.
41% of respondents subject to the GDPR and 42% subject to the CCPA don’t discover and classify data at the point of creation and aren’t able to quickly search through the records, or are unaware if that capability exists in their organization. Data inventory and records management is not an official requirement, but it is essential to comply with the regulations’ key requirements. For instance, there is no way to apply appropriate security controls to regulated data if you don’t actually know where it is located. Also, without proper search capabilities, satisfying data subject access requests while not putting business on hold is nearly impossible.
Problem #3: CISOs and Compliance Officers are not sure if regulated data is stored in a secure location.
66% of CISOs and Compliance Officers in the organizations surveyed doubt that regulated data is stored in a secure location. Nearly half of undecided CISOs (45%) work for the organizations subject to GDPR. Though it is business units that own non-compliance risks, IT security pros play the quarterback role in managing the technical part of compliance. So CISOs are expected to be aware if regulated data is stored securely and not to leave it to luck.
Problem #4: GDPR and CCPA-compliant organizations don’t track how regulated data is shared.
Organizations that fall under privacy legislations should maintain a trail of the footprint of personal data they hold on consumers and employees. However, 33% of organizations subject to the GDPR and 25% subject to the CCPA do not track data sharing at all.
Problem #5: GDPR-compliant organizations don’t have a data retention program in place.
The GDPR requires organizations to discard regulated data no longer needed: The Recital 39 states that time limit should be established by the controller for erasure or for a periodic review to ensure that the period for storing the PII is limited to a strict minimum. Yet, according to our data, 52% of organizations that are subject to the GDPR still haven’t established data retention program. In fact, excessive storage has already been one of the reasons to fine the real estate company SERGIC in France. Apart from lacking basic security measures, the company stored the documentation provided by candidates for longer than necessary. This resulted in a €400,000 fine.
Major areas for growth
These stats demonstrate that there’s a lot to be done to reach compliance maturity in the organizations.
First, privacy compliance requires business commitment–it is when IT and business should answer the key questions together, such as “What kind of data does our organization hold and why?” “Do we collect data for legitimate purposes?” “How does data travel across the company?” Only together, they can build a healthy compliance strategy, since privacy compliance is not a standalone IT project.
Second, there are certain technical measures that can help organizations grow their ‘compliance muscle’ and protect privacy by design, such as creating data inventory (as IT may not know in detail the data but they should know which databases and folders are critical), regularly auditing activity around data and configuring smart alerting if data is mishandled.
Also, communication should not be limited to the specific business’ stakeholders. There are thousands of other organizations that fight in the compliance battle, so it is important for the organizations to gain and share knowledge in professional networks, conferences and meetups.
What to expect
Privacy compliance brings a lot of confusion, but with time we will see more guidance, instruments and frameworks that will help organizations achieve privacy compliance in a less painful way. Best practices are yet to be standardized, so, as of now, security and compliance professionals should accumulate knowledge together.
Finally, we should keep in mind that there are more privacy regulations to come. To be ready for tomorrow, organizations should establish mature data governance processes today. Thus, it is crucial for any organization that collects PII to understand the data flows in its environment and track what happens to regulated data at each stage of data lifecycle: from initial collection to disposal.
About the Author
Ilia Sotnikov is responsible for Netwrix product vision and strategy. He has over 15 years of experience in IT management software market. Prior to joining Netwrix in 2013, he was managing SharePoint solutions at Quest Software (later acquired by Dell).
Disclaimer: CISO MAG does not endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. Views expressed in this article are personal.