So, it really is more than 3 years since we implemented a system to facilitate compliance with the EU GDPR regulations. This BBC report summarizes the experience so far.
On reviewing the article there seems to be two categories of infraction, those that have flouted the law, for example, by not seekingconsent to use personal or private data, and those that have become victims of a cyber-attack. In promoting our GDPR solution we experienced considerable apathytowards the issue. However, with the extent of the fines surely companies are taking these legal responsibilities more seriously? A company that has not yet experienced a data breach is just living on borrowed time.
For the latter category, cyber criminals are becoming moresophisticated and with any software it is notoriously difficult to make it"bullet proof”. The effects of spoofed emails, spam calls, and look-alikeweb sites, rely on consumers to recognize the risks and the companies who are affected cannot be expected to educate the world. In these cases, it is surely the responsibility of the affected company to quickly mitigate the risk to the consumer as soon as they discover the breach, but practically they will never be able to prevent them all. For this reason, some of the fines mentioned in the article seem a bit unfair, but of course we can never know the full details and reasons behind the sanctions.
The fact that the fines go into general revenue makes onewonder, where is the incentive on the part of Governments to tackle the rootcause - the cyber criminals - rather than just collecting the fines and moving on to the next unfortunate. It would be better to put at least a portion of the collections into funding the special skills needed for better policing and awareness education.
But there is, however, good news from the USA where the FBI was able to recover ransoms paid to attackers who affected critical infrastructureand food supply. Ransomware is becoming a scourge and no company can say with confidence that they are fully protected. Bear in mind, the attackers don't necessarily have to encrypt the data to cause harm, they can just find sensitive data and threaten to expose it. Which takes us right back to the social aspect of this, the consumer or the "end user" unknowingly compromises access to the system. In 2021, with a large portion of the workforce still working from home, systems are less protected both physically and through the corporate IT infrastructure.
In summary, data protection is no longer solely the domainof IT and such things like anti-virus software. Now it is a social concern thatneeds to be tackled in social ways through raising awareness and educating the users. Once a breach is identified it should be well known how to easily reportit quickly to the right experts, be they IT or data protection (DP) professionals. This was the purpose of the system we developed at the beginning of GDPR and maybe now it’s time has come.