Third party compliance most challenging aspect of GDPR, research finds
9 July 2019 | 0
Third party compliance is the most challenging aspect of GDPR, according to research from BSI’s Cybersecurity and Information Resilience centre of excellence, which examined the impact of the first year of GDPR.
Other challenges include budget allowances for implementing compliance that demonstrate and prioritise value, monitoring data breaches, and handling data subject access requests (DSAR).
Commenting on the challenges, Conor Hogan, senior information governance manager at BSI, said: “Monitoring of third parties is a critical compliance process and there are software solutions available that assist with regular third party compliance monitoring and risk management processes.
“Allocating budget can be more challenging, so for this it’s important to record the metrics of any incidents when they occur so that it can be measured against the operational impact for the organization to demonstrate the value of the GDPR preparedness required. An incident can include a data breach and DSAR – these can have a significant impact on resources for an organization.”
To date there have been 89,000 data breach notifications, 144,000 individual complaints, and over 440,000 cross-border cases, while GDPR enforcement actions have resulted in over €56 million in fines, according to the International Association of Privacy Professionals (IAPP).
However, BSI’s research revealed that 40% of respondents were not prepared for regulatory investigation, while 34% did not know if they were ready. Just 26% of respondents claimed to be prepared for an investigation.
Over the last 12 months, one in five respondents experienced a data protection breach. This could range from sending an e-mail to the wrong recipient, to physical theft of data or an employee falling for a phishing email. Breaches are a key element of GDPR regulation, specifically the requirement to alert regulators.
“It’s likely that an organisation will experience a data breach during its lifetime, but the level of complexity and challenges faced will differ for each. Companies need to be prepared by focusing on security, data management, employee awareness and the compliance requirements of regulatory bodies. They need to know what data they have; where it is; the legal basis for it; who its being disclosed to; how long they are going to keep it for; and the specific purpose for processing it.”
Hogan sees the first year of GDPR as a bedding-in period: “going forward we are certain to see mounting enforcement from the regulators. Compliance should be a pre-requisite for all organisations, regardless of their size, and preparedness is the first step to achieving a state of enhanced information resilience.”