It is not possible without rationalization and automation
Statement from Steve Bradford, Senior Vice President EMEA at SailPoint
On May 25, 2018, the EU General Data Protection Regulation came into binding force. It regulates and standardizes how companies collect and process personal data of individuals. The Regulation replaces the 1995 Directive 95/46/EC on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. It concerns any company, regardless of its location, that processes data of persons within the European Economic Area. Especially against the background that the regulation entails severe penalties in the absence of compliance – but also that data protection breaches are accompanied by a massive loss of image – the GDPR is and remains an essential important issue for companies.
According to a recent study by the international law firm DLA Piper, the total of fines imposed for GDPR violations rose to 1.1 billion euros across Europe last year. For comparison: the previous year’s figure was 158.5 million euros – this is a concrete increase of almost 600 percent. In a country-by-country comparison, Germany holds the top position in the number of reported data protection violations (since 2018) and, with 35 million euros, is also one of the countries with the highest individual fines imposed.
But how do German companies see the GDPR and what is the status of compliance? A study by the German Economic Institute (IW) from 2020 shows: The majority of companies (54 percent) do not see the regulation as a disadvantage for competition, but at least a good third (34 percent) perceive it as a disadvantage. 96 of these companies specifically complain about the high implementation effort and the associated legal uncertainty as well as the concern about high penalties (89 percent). According to a recent bitkom survey, 29 percent of companies in Germany are only partially GDPR-compliant and 5 percent were even at the very beginning of implementation at the time of the survey.
The fact that companies are sometimes overwhelmed with compliance with the GDPR is understandable given the complexity of the regulations. But the positive thing is: compliance with the regulation is well feasible and companies are not helpless at the mercy of the complexity of the GDPR. However, it is also important to emphasize that compliance is a continuous process that must be adjusted and readjusted again and again. But how should companies proceed in concrete terms? As a best practice, it has proven to be a good first step to try to understand the regulatory requirements as well as possible and to see how they affect your own industry. In the second step, companies should carry out assessments to identify their own risks in the field of data protection, set priorities and draw up an action plan to mitigate the most important risks. After that, it is important to review the already existing security policies and procedures to ensure that they comply with the regulations applicable to your company.
In order to ensure sustainable compliance with the GDPR and to remain in control of the situation despite all the complexity, companies should streamline and automate compliance processes and guidelines as much as possible. By streamlining and automating processes, companies can save costs and valuable employee time while reducing the risk of devastating data breaches caused by manual errors. Especially solutions from the field of identity security have proven themselves in practice.
Background: Such solutions automate, manage and regulate access in real time, ideally with AI- and ML-supported transparency and control. Thus, they ensure fast, secure and scalable operation in a cloud-critical, threat-intensive (business) world. They ensure compliance by regulating access and tracking usage – and policies are enforced for all users, apps, and data, all the time.
Ultimately, it makes sense to continuously check through audits whether all internal processes are working well and, in case of doubt, to adapt processes. Regular employee training on the subject of GDPR and the handling of sensitive data also help.