Remember the 2018 rush to become General Data Protection Regulation (GDPR) compliant?
While the GDPR is established in the European Union, businesses of all sizes across the globe need to comply if they:
- Are based in the EU
- Offer goods and services in the region
- Monitor the behaviour of individuals in the EU.
The regulations were introduced with the threat of fines for non-compliance. However, in 2020, enforcement of the rules was temporarily relaxed to support organisations through the challenges of COVID-19.
With this announcement of regulatory flexibility, and with businesses doing what they could to pivot and survive through the pandemic, it's highly likely that GDPR compliance became less of a focus — in 2020 and today. But change is coming back around.
Without continuous oversight, organisations risk hefty GDPR fines in the coming years. The good news is that it's possible to minimise this risk.
Tanium chief IT architect for EMEA Oliver Cronk says that as COVID-19 restrictions continue to ease in many parts of the world, now is an opportune time for organisations to assess how they operate to ensure any new processes or ways of working are fully GDPR compliant.
"To correctly follow the guidelines, enterprises should work with their data protection officers to support the whole organisation — particularly when new operating models and processes have had to be introduced overnight in many cases," says Cronk.
"Examples of these changes can be found in sectors like hospitality, which is now collecting more personal information from customers than ever due to new pandemic-related processes. It's easy to fall into the trap of not declaring what the data is being used for, how it's being processed and how long it will be kept.
"Organisations need to ensure compliance for post-pandemic processes isn't overlooked, or they may be in for nasty surprises such as fines in the near future."
While it is obvious that the GDPR applies to organisations located in the EU, it also applies to organisations outside the EU that market to consumers in the region — i.e. by offering goods and services (including free-of-charge).
With the UK Information Commission's definition of personal data as ‘information that relates to an identified or identifiable individual', almost no business is exempt from GDPR rules. The data that identifies an individual could be as simple as a name or phone number — but could also include other, more complex identifiers such as an IP address or cookies and other digital factors.
Organisations should be aware of what consumer data it holds and how it's being leveraged. The security and compliance risks posed to businesses without this certainty are simply too great.