What will the post-GDPR regulatory landscape look like?

The 25 May 2018 deadline for the General Data Protection Regulation has now expired. This means that it’s now time to consider what might happen next.

Although GDPR has been a long time coming, many organisations felt pressed for time as 25 May began to loom large. Even if using a tool like the OXIAL GDPR EXPRESS solution, it can be hard to get everything ready if you leave it too late.

Based on OXIAL’s years of experience in risk management, IT security and compliance, OXIAL GDPR EXPRESS can be live and operational in less than 90 days, so it is worth getting started if your organisations has not already.

But assuming that most organisations have at least made some preparations – although that’s not necessarily the case – what will happen now that the GDPR is in force?

Massive fines?

Failure to comply with GDPR will results in fines of up to €20,000,000 or 4% of an organisation’s annual global turnover, whichever is greater. However, it is highly unlikely that the first few days or even weeks will see any such fines take place.

That’s not to say though that the figures mentioned have been plucked from the ether, and at some stage a company will undoubtedly be hit with a major fine when the regulators decide to get tough. It is more likely to be from a case brought by a consumer whose rights to data portability were not upheld by an organisation, rather than a significant data breach.

The first such case will be massive news and the company in question will suffer real damage to their reputation, forever known as the first organisation to fall foul of GDPR. Definitely worth making sure that it isn’t your organisation to suffer that fate.

GDPR-based cyber crime?

Cyber attacks are on the rise, both in terms of volume and also in terms of the professionalism and sophistication of the cyber criminals themselves. The organisation of hackers will often far outweigh a company’s ability to defend itself, and as well as this, many firms are unable to effectively quantify the impact of such risks, leaving them highly vulnerable.

Given the severity of the penalty for non-GDPR compliance, it is easy to imagine cyber criminals planning on using GDPR as a means of cyber attack. As ransomware has increased over the past two years – where access to files are withheld unless a ransom is paid – so a similar approach could be deployed around GDPR. A hacker could target an organisation by stealing data or plant malware with the intention of exhorting money.

Organisations are rarely as protected as they could be with regard to cyber crime, certainly lacking the sophistication of tool to combat hackers. GDPR could only exacerbate this and highlights the for a fresh approach to cyber security, that integrates IT risks and threats with overall risk and compliance structures.

Keeping quiet about breaches?

As and when an organisation faces a breach that impacts their GDPR compliance, it is a moot point as to how upfront they will be about coming clean. Such an approach is of course not to be recommended, but it would be no surprise to see businesses keeping quiet and hoping that they will get away with any breach.

This could be due to a desire to avoid a fine or the attendant bad publicity that would emerge, or perhaps they simply do not have that information to hand and are lacking the continuous monitoring that should be in place. Only finding out about a breach via a third-party could have disastrous consequences in terms of time taken to respond.

But the most important thing to remember is that the GDPR is not a one-off piece of legislation and organizations should expect a lot of DSGVO adjustments, even if the deadline has expired. It will not be static compliance and some things will change over time. That’s why it’s important to have consultants who know exactly what changes mean to your organization and its ability to comply with regulations.

Eric Berdeaux is CEO of OXIAL, the New Generation GRC solutions provider 

OXIAL’s New Generation GRC solutions are entirely built to address some of the greatest challenges impacting organisations that

are faced with Risk Management, Internal Control and Compliance and Audit. OXIAL’s integrated GRC platform enables

organisations to become more efficient and effective in mitigating risk by integrating and automating GRC processes on a global

scale.

Featuring intuitive and powerful tools that make it possible to respond to fast-evolving risk environments, OXIAL makes it easy to

synchronise corporate governance, enterprise risk management and corporate compliance activities and undertake real time

monitoring across all business and IT processes and company assets. OXIAL operates globally across multiple industries and

meets the needs of over 40 customers who have chosen OXIAL to drive business performance and achieve success.

OXIAL’s New Generation GRC solutions are entirely built to address some of the greatest challenges impacting organisations that are faced with Risk Management, Internal Control and Compliance and Audit. OXIAL’s integrated GRC platform enables organisations to become more efficient and effective in mitigating risk by integrating and automating GRC processes on a global scale.

Featuring intuitive and powerful tools that make it possible to respond to fast-evolving risk environments, OXIAL makes it easy to synchronise corporate governance, enterprise risk management and corporate compliance activities and undertake real- time monitoring across all business and IT processes and company assets. OXIAL operates globally across multiple industries and meets the needs of over 40 customers who have chosen OXIAL to drive business performance and achieve success.