Three years after the introduction of the EU’s General Data Protection Regulation (GDPR), risk professionals have a much better idea of what supervisors want to see, and what best practices looks like.
Much has happened in the interim. High-profile investigations into data breaches by organisations have shown the costs of non-compliance and revealed more about the approach taken by UK authorities to policing the new rules.
More recently, GDPR’s implementation and enforcement have continued through the uncertainties of the Brexit transition period, and now amid the transformative risk environment of the Covid-19 pandemic.
In 2018 legal firm BLM partnered with Airmic to publish a GDPR report when the regulation was first implemented. In 2020 the two organisations partnered again to provide an update on regulators’ enforcement actions.
BLM has again teamed up with Airmic in 2021 to provide an update: “GDPR and adapting to the Covid-19 world.” This latest white paper is authored by Nick Gibbons, a partner at BLM.
The study describes in detail how the effects of the pandemic have also transformed GDPR compliance, not just during the initial crisis and lockdown period, but now that many organisations are planning for a partial return to offices in particular.
“Although there will be a partial and welcome return to many pre-Covid business and social patterns, we have discovered that many of the new ways of doing things are quicker, more economic and more convenient than what we were doing before and, in some cases, enable us to do things that are simply not possible outside the virtual world of the internet,” Gibbons writes.
Many of these changes are here to stay as part of a new hybrid normal, the white paper emphasises, and outlines the many technical challenges and vulnerabilities facing many firms. These vulnerabilities have coincided with a huge increase in cybercrime during the pandemic, the report warns.
Ransomware attacks have been on the rise in particular. Such attacks have focused on stealing personal and commercial data, with serious ramifications for risk management and GDPR compliance, according to the white paper.
“The types of businesses and organisations targeted by cybercriminals have become much more varied, and include small and medium-sized businesses and organisations such as schools, charities, distributors, finance companies, retailers, publishers, manufacturers, professionals, surgeries,” Gibbons continues.
Working from home (WFH) is at the core of the Covid era of GDPR compliance, according to the paper. The risks have become so much higher for firms that do not change their approach to cyber security for the WFH era.
“WFH, even if only a part of the post-Covid normal, has rendered many existing security regimes, designed for a pre-pandemic world, redundant,” Gibbons writes.
“The likely new hybrid environment with many staff working from home for part of the week creates different and greater challenges, and the need for further training and supervision designed to address this new normal.”
To read more about what organisations can do to continue to protect themselves in the WFH era, check out the report online, here.