For years now, GDPR has been hanging over the heads of senior executives. But HFS’ research indicates that instead of taking action, the C-Suite was adopting a wait-and-see policy, largely to see how aggressively the new regulations would be enforced. The landmark £183 million fine dished out to British Airways for infringements is a bellwether: it’s high time executives build up their defenses and bring in the brains and brawn of leading service providers.
The regulatory environment has changed, pushing fines from a paltry £500,000 to £183 million in the case of British Airways
Historically, there was little punishment for the misuse of data. The punishment was meager fines of £500,000 like the one handed to Facebook over the Cambridge Analytica scandal. GDPR has changed this. Enterprises are now liable for fines of either 4% of their annual turnover or up to €20 million. Whichever figure is largest.
The British Airways fine is a statement of intent; GDPR is real, and it’s going to pinch your pennies. British Airway’s worldwide turnover last year was £11.6 billion. The ICO (Information Commissioners Office) has proposed a fine of 1.5% or £183.4 million. This fine is the largest of its kind and must act as a warning sign. You can see that the British Airways fine dwarfs anything that has been previously handed out, although it’s important to note that it could have been far worse. The fine could have been more than double that!
The reality is that many enterprises still aren’t equipped to secure their data; they must act quickly to bring in expertise from the provider community
It’s fair to say that many enterprises are in a sorry state when it comes to preparation for GDPR. Even when the initial deadline was outlined, enterprises leaders showed a somewhat relaxed approach to the regulation (see Exhibit 1). And while the deadline has long since passed, examples like the British Airways fine reveal that executives have done little in recent months to build a more secure position.
Exhibit 1: Global enterprises are in mixed states of GDPR preparedness
Source: HFS Research; N-300 Business Executives
However, service providers have long been developing services and solutions to help secure modern enterprises, with many tailoring solutions directly to GDPR compliance. Accenture’s GDPR Intelligent Solution is one example.
Accenture’s solution (see Exhibit 2) supports three main processes in the data supply chain: capture, curate, and consume. It identifies how data enters the enterprise system from structured and unstructured sources to which enterprise systems and processes use it, and for what purpose. This means data controllers can create a repeatable action that swiftly scans large amounts of data all the way through the lifecycle. This is important because observing GDPR must be a constant process.
Exhibit 2: Accenture Solution
Source: Accenture.com
A second source of help comes from IBM’s partner, Northdoor. Northdoor outlined an eight-step solution aimed at addressing the key challenges that organizations face in observing their ongoing response to GDPR.
Northdoor looks to embed the GDPR processes in business-as-usual practices with the intention that they become near-invisible automated processes that allow internal personnel to focus on their core work.
OneTrust has further offered a comprehensive solution to GDPR management with a platform that includes readiness assessments, privacy impact assessments, data mapping automation, website scanning and cookie compliance, subject rights and consent management, incident reporting, and vendor risk management. The OneTrust platform’s goal is to help easily manage the ongoing response to GDPR.
The Bottom Line: Regulators are getting serious about GDPR, you can’t afford to get caught out by not being prepared!
GDPR is here. A statement was made with the fine handed to British Airways—no doubt it left British Airways executives wanting something a little stiffer in their morning cup of tea. This consequence was avoidable and must act as a wake-up call for any enterprise that has been sluggish in its preparations. Enterprises should be looking toward service providers to guide them through these difficult times. Ultimately, the cost of partnering with a firm like Accenture will be considerably lower than the fine you will face after the inevitable data disaster.