When the EU enacted GDPR in 2018, executives and security professionals waited anxiously to
see how the law would be enforced. And then they kept waiting…and waiting…but the Great
European Privacy Crackdown never came. For a while it seemed like the only way you’d get
slapped with a GDPR fine was to do something truly egregious or be named Mark Zuckerberg.
(Or preferably both.)
But the days of betting that you’re too big or too small to be noticed by GDPR are over.
Recently, EU member nations (plus the UK) have started taking action against data controllers
of all sizes–from the big (Amazon), to the medium (a trucking company), to the truly miniscule (a
Spanish citizen whose home security cameras bothered their neighbors).
So what changed between 2018 and 2024? Perhaps the biggest factor was the EU cracking
down on companies putting bogus “headquarters” in countries with friendly regulators,
particularly Ireland. But it certainly didn’t help that the last few years have seen an unending tide
of data breach stories, and the public’s relationship with tech has increasingly soured. There’s
an appetite for enforcement these days, and it’ll probably get worse before it gets better.
If you’re an IT or security professional, you may be wondering what to do with this information.
Unfortunately, GDPR compliance isn’t the kind of thing you can solve by buying a tool or
scheduling a training session. The best place to start is to adopt a policy of data minimization:
collect only the data you truly need to function, on both customers and employees.
After that, your second priority must be securing the data you have. Of course, that’s easier said
than done, but you can start with doing more to protect against common breach culprits like
compromised passwords. (Call us biased, but getting a password manager for every employee
really is table stakes for good security.) You also need to monitor where all your data is going,
so PII doesn’t disappear onto Shadow IT apps and unmanaged devices.
We’ll close with a 2022 quote from John Edwards, the UK Information Commissioner:
“The biggest cyber risk businesses face is not from hackers outside of their company, but from
complacency within their company. If your business doesn’t regularly monitor for suspicious
activity in its systems and fails to act on warnings, or doesn’t update software and fails to
provide training to staff, you can expect a similar fine from my office.”
In other words: it’s time to get serious about GDPR.