After the General Data Protection Regulation (GDPR) regulation came into effect in May 2018, the global organizations dealing with data of European citizens have reinforced their IT security infrastructure to comply with the security mandates of the regulation. In spite of that, it has been found that GDPR has imposed heavy penalty on multiple organizations due to various reasons till date. More than 2,80,000 cases have been found by the supervisory authorities in such a short span of time (1 year) with the total penalties shooting up to almost 3.72 crore euro.
Google has been fined $57 million recently for not complying with the transparency and consent factor as stated in EU GDPR Act. Earlier, the British Airways has been fined almost 183 million pound for violating the privacy of more than 5 lakhs customers’ sensitive data. Adding to that, Marriott International had to cough up almost 9.9 lakh pound for exposing personal data of more than 339 million customers. There are a range of factors on the basis of which GDPR decides its penalties:
- Nature and severity of the infringement
- Intentional/ Unintentional infringement
- Whether it was the maiden incident
- Types of data/ record affected
- Adherence to code of conduct of the regulation
- What action has been taken by the organization after the incident
All the above parameters are taken into consideration by the GDPR board before imposing any monetary penalty on the victim.
Expectations, Challenges and Compliance
With an objective of successful implementation of EU GDPR standards, global organizations are expected to reinforce their inner periphery which we discussed in one of our previous articles ( Read – Strengthen Compliance Framework to Avoid Hefty Regulatory Fines ). Organizations are expected to follow the regulatory standards to combat with the modern and sophisticated IT security challenges mainly arising due to confidential data abuse. In a typical shared and distributed environment, every layer of IT systems and structure has risk elements which are targeted by cyber crooks.
The major IT security challenge that organizations face is to protect their crucial data assets from suspicious third party users or malicious insiders. It becomes a herculean task for the data controllers to monitor hundreds and thousands of end-user activities (data processors) continuously.
Moreover, if the organization maintains data in third party environments (Managed Service Providers) and Cloud service providers, then the job for data controllers and data processors become all the more complex. The situation becomes riskier and tougher when there are too many privileged accounts accessing confidential business information. These privileged accounts are the gateways to confidential information and thus more vulnerable to breaches.
Global compliance standards like the EU-GDPR is the biggest push towards data security and data privacy in organizations. It mandates the IT infrastructure of organizations to have a well-defined security policy framework to control privileged access. To overcome these challenges, data controllers and data processors should incorporate a robust IT security solution like Privileged Access Management (PAM) to secure the privileged accounts from unauthorized end-users and to seamlessly monitor privileged user activities.
ARCON is a leading enterprise risk control solutions provider, specializing in risk-predictive technologies. ARCON | User Behaviour Analytics enables to monitor end-user activities in real time. ARCON | Privileged Access Management reinforces access control and mitigates data breach threats. ARCON | Secure Compliance Management is a vulnerability assessment tool.