Maintaining GDPR and Data Privacy Compliance in 2024 – IT Governance UK Blog
Expert tips from Alan Calder
Alan is the Group CEO of GRC International Group PLC, the parent company of IT Governance, and is an acknowledged international security guru.
He’s also an award-winning author, and has been involved in developing a wide range of information security and data privacy training courses, has consulted for clients across the globe, and is a regular media commentator and speaker.
We sat down to chat to him about industry challenges in 2024.
There are still more than ten months to go in 2024. What challenges do you think we’ll see before the year ends?
For a start, maintaining data privacy and GDPR [General Data Protection Regulation] compliance will become increasingly complex through 2024, particularly for organisations operating across multiple jurisdictions.
GDPR enforcement within the EU, combined with the EU-US data privacy framework and the planned changes to the UK GDPR, all bring challenges in terms of keeping on top of what must be done.
In addition, 14 US states now have their own data privacy laws, and GDPR-like legislation has proliferated across the world.
The volume of cyber security and cyber resilience legislation is also surging, alongside these privacy laws, which have additional – and significant – implications for how organisations address their data privacy obligations.
About that “GDPR-like legislation”, could you please elaborate?
The GDPR is acknowledged around the world as a ‘gold standard’ when it comes to data privacy legislation, affording personal data a level of protection largely unmatched elsewhere – certainly in 2016, when the GDPR was first published in its final form.
Since then, we’ve seen many more laws like it emerge, including California’s CPRA [California Privacy Rights Act], Brazil’s LGPD [General Personal Data Protection Law] and Japan’s APPI [Act on the Protection of Personal Information].
This isn’t too surprising, considering the high standard set by the EU GDPR, paired with the fact that the Regulation itself applies beyond the EEA:
- To personal data processing carried out on behalf of data controllers or processors in the EU;
- To the processing of EU residents’ personal data in relation to offering them goods or services, or in relation to monitoring their behaviour; and
- Where EU member state law applies by virtue of public international law.
What are your top tips for ensuring compliance with the GDPR and similar laws?
Management in all organisations should consider the following five points:
- Review your privacy notice – ensure that it’s up to date and reflects the jurisdictions you’re processing personal data in. If you’re transparent about what you’re doing with people’s data, you’re less likely to be challenged about your overall compliance and compliance strategy.
- Check your marketing opt-out mechanisms – ensure that these all work as they should and that, internally, you’re clear about the lawful grounds on which you contact people. If you’re careful about compliance in your marketing activities, you’re less likely to trigger a complaint that might lead to a fuller investigation. Even that aside, the ICO [Information Commissioner’s Office] has been strict on its PECR [Privacy and Electronic Communications Regulations] enforcement, certainly where unsolicited marketing is concerned.
- Map your data flows – make sure you know 1) what data is going where, including subcontractors, service providers and supporting software systems; 2) who has access to that data; and 3) how it is protected. This ensures you can identify relevant legal obligations, as well as assess and improve data security measures.
- Review your data protection measures – make sure they’re up to the task: Cyber Essentials and anti-phishing training are simple measures that go a long way towards keeping you out of trouble. Penetration testing is also well worth the investment.
- Look for a compliance platform that enables you to cost-effectively cross-map the various regulatory requirements, identify relevant controls, and generate the necessary policies, procedures and other documentation.
This combination of activities should be enough to keep organisations out of trouble. After all, if you don’t give data subjects grounds to complain, and you avoid a security breach, you’re unlikely to find yourself managing the consequences of breaching the GDPR.
CyberComply
This Cloud-based, end-to-end solution simplifies compliance with a range of data privacy and cyber security laws and standards, including the GDPR:
- Manage all your cyber security and data privacy obligations in one place.
- Get immediate visibility of critical data and key performance indicators.
- Stay ahead of regulatory changes with our scalable compliance solution.
- Reduce errors and improve the completeness of your risk management processes.
- Identify and treat privacy and security risks before they become critical concerns.
To find out more about this platform, read our interview with Sam McNicholls-Novoa, the product marketing manager for CyberComply, or try it yourself with our free 30-day trial.
We hope you enjoyed this week’s edition of our ‘Expert Insight’ series. We’ll be back next week, chatting to another expert within the Group.
In the meantime, if you missed it, check out last week’s blog, where senior penetration tester Leon Teale gave us his expert insights into the CVSS (Common Vulnerability Scoring System).