FEATURE
As significant fines are levied, I believe
the definition of personal data will
become clearer. But that’s the catch
and reflects my earlier point – we’re
still waiting for regulators to levy a
substantial fine for failure to protect
personal data and/or the inability
to prevent a data breach. Until that
happens, confusion will remain rampant
and organisations will flounder in their
efforts to achieve GDPR compliance.
Changing the ‘doing just
enough’ attitude
A by-product of the confusion around
GDPR compliance is the attitude many
organisations employ in their compliance
initiatives and efforts. I believe the
true inspiration behind GDPR was to
force organisations to become good
data stewards, to re-examine their data
management and protection polices and
to develop strategies that would give
consumers peace-of-mind that their data
was protected by these companies.
But that’s not what’s happening. Instead
of employing good data stewardship
practices, many organisations focus
their compliance efforts on doing just
enough to avoid fines or other punitive
consequences. The definition of ‘just
enough’ will continue to be a moving
target given the broad definition of
personal data contained within the
legislation. As a result, organisations
with this mindset will find true
compliance remains elusive.
As is the case with confusion around
personal data, the driving force for
better data stewardship – or, complying
with the spirit as well as the letter of
GDPR legislation – will be significant
enforcements and fines. Luckily, as
more nations and regions/states enact
legislation like GDPR, there will be
more opportunities for this type of
meaningful enforcement.
The rise of legislation –
who’s doing it right?
From California to Brazil to India,
everyone is clamouring to enact GDPR-
like legislation aimed at protecting
consumer data. While I’d love to say this
38
movement is truly altruistic in nature, it’s
likely these governments understand
the revenue potential they can realise
through fining organisations that fail to
comply. That said, what these laws mean
is that, eventually, organisations who
want to do business anywhere will need
to consistently demonstrate personal
data protection is top-of-mind in their
business practices.
More importantly, I believe these laws
will act as a forcing function to change
the mindset of those organisations who
only want to do what they must to meet
basic compliance requirements.
I saw an example of this attitude shift
during a recent trip to India.
India is looking to enact data privacy
legislation later this year and in speaking
with Indian executives and security
professionals, compliance is top-of-
mind. But their efforts go further than
We’re still waiting
for regulators to
levy a substantial
fine for failure to
protect personal
data and/or the
inability to prevent
a data breach.
that. Instead of asking about specifics
around what actions would constitute
failure to comply, I found Indian security
leaders were concerned with bettering
their overall data protection and privacy
practices. They were dedicated to
enacting best practices around data
Issue 11
|
www.intelligentciso.com