GDPR fines hit hard in 2021, especially hammering fast-growing and evolving businesses for accidental or careless EU GDPR violations. Tugboat Logic’s CISO, Jose Costa, explains how creating a privacy-focused culture can minimize risk.
When the EU’s General Data Protection Regulation (GDPR) was enacted in 2018, it set a new bar for data protection and privacy rights, spurring the adoption of heightened data privacy standards around the world. While many companies have been able to adapt to the complexities of the GDPR, few have achieved continuous compliance. And GDPR fines are still hitting companies hard: in 2021, total fines reached $1.2 billion, up $180 million from 2020.
But the primary challenge to achieving compliance is not the same as in 2018, when most businesses cited regulation complexity and budget strains as the biggest roadblocks to meeting GDPR standards. As technology and business models have evolved — rapidly in recent years — the greatest hurdle today is maintaining compliance amid business growth and evolution. That is particularly true for new businesses and startups planning for rapid scale and expansion.
However, for companies of any size, balancing compliance and growth is attainable by prioritizing privacy by design in every aspect of organizational processes, workflows and security solutions, as well as cultivating a privacy-first culture. By emphasizing these approaches from the top down, organizations can move toward achieving continuous compliance — protecting their bottom lines and preserving consumer trust.
Managing compliance amid business evolution
The result of GDPR noncompliance goes beyond hefty fines. It may also hurt companies’ reputations, which can erode both competitive advantage and consumer loyalty.
Noncompliance usually isn’t intentional. It’s the result of a lack of oversight as businesses grow and take on new structures and systems. Technology, processes and workflows change as organizations evolve — from offering new services and onboarding new vendors to implementing new applications, system architectures and data-collection methods. It can be challenging to keep privacy top-of-mind while adapting to these business evolutions.
Even marketing efforts, like campaigns or product launches, can result in the unintentional transfer or collection of data that doesn’t meet GDPR standards. And beyond organizational boundaries, businesses must ensure that privacy protocols extend to every vendor and outsourced partner they engage with — even if they’re based in a country outside of the EU.
Internally, noncompliance is exacerbated by employee knowledge gaps in how data is collected, used and transferred in everyday operations. As technology evolves and leadership introduces new platforms, all employees who access sensitive data may not follow the same security and privacy protocols.
Inconsistent or stifled communication across departments and teams — as well as between employees and decision-makers — can make standardizing privacy knowledge and protocols difficult. As employees are hired, onboarded and promoted throughout organizations, varying or nonexistent privacy training can create major disruptions that contribute to GDPR violations.
The importance of privacy by design
At its core, privacy by design is about examining the privacy implications of business decisions and building privacy into every department, process, technology and initiative. When it comes to data subject rights and protections specifically, organizations should consider privacy when determining any new kind of data processing or data modification.
But this is easier said than done. Because data processing takes place in many instances throughout a single organization, it can be difficult to identify all of the business arms and processes that data touches. To identify and mitigate privacy risks in a new marketing campaign or technology implementation, for example, organizations must have the capability to execute privacy training, preventative measures (like data encryption and the use of tokens) and detective measures (like post-implementation reviews of privacy compliance).
In action, privacy by design may look like requiring new vendor approval by a dedicated privacy team before onboarding, ensuring that vendors can meet compliance requirements, understand privacy protocols, and do not carry a larger compliance risk than the business can tolerate. Companies may also choose to standardize processes for launching data protection impact assessments (DPIAs) for every process, technology or personnel change that is likely to involve processing high-risk personally identifiable information (PII).
Privacy by design can take many forms, but it should be reinforced in company culture and leadership that takes a privacy-first approach — ensuring privacy is always at the forefront of company decision-making.
Three ways to incorporate privacy by design and cultivate a privacy-first culture
Implementing privacy by design may seem complex. But adopting the right technologies and practices can help keep privacy top-of-mind and reinforce a privacy-first culture. In particular, consider three key tips for designing organizational processes that enable privacy by design and ultimately boost your GDPR compliance:
Look for automated solutions
Tasks like obtaining consent, sending privacy notices and managing data subject rights requests can be automated to improve both accuracy and efficiency. In the case of data privacy, these solutions can help your teams monitor compliance at every level of your organization, including the managing and onboarding of vendors and outsourced partners.
Leverage data discovery
Data discovery — the process that identifies predefined types of data — is crucial for determining assets in your organization that contain PII. Use data discovery to find PII in assets that often go unnoticed and identify how it needs to be protected. Data discovery is also critical to monitoring data flows — i.e., determining how data moves throughout your organization, who handles it and where it is stored. In analyzing data flows, you can better identify if data is being misused, collected, or transferred in a way that does not meet GDPR standards.
Emphasize privacy from the top down
All levels of your organization contribute to building a privacy-first culture, and this starts with leadership. Communicate the importance of privacy by design and prioritize privacy awareness and training for all teams. The larger your organization, the more difficult it can be to identify business changes that impact compliance. Lessen this risk by ensuring all employees are engaged and informed about how they can support data privacy and security in their day-to-day work.
Toward continuous compliance
High GDPR fines in 2021 may paint a bleak picture when it comes to meeting data protection standards. But don’t let this deter you — continuous compliance is possible by embracing privacy by design as a business cornerstone.
As technology and business models continue to evolve, a privacy-first culture will be even more important to ensure consistency in your data protection and privacy protocols. Change is inevitable, but you can scale for growth and avoid GDPR noncompliance by considering privacy in every business decision and organizational process you implement. Your consumers — and your bottom line — will be safer for it.