GDPR and the PII Leak
According to Pew Research Center’s survey of more than 4,000 US adults, six in ten say they don’t think it’s possible to go through daily life without having their personal data collected by companies or the government. And while the collection process is not the problem, it’s how these companies handle personal data that’s getting them into hot water.
Regulations, like the General Data Protection Regulation (GDPR), were designed to guide companies that conduct business with European citizens on the ways in which they must protect personal data and to give consumers more power over how their information is used and shared. But personal data breaches continue to rise, racking up millions of dollars in fines for businesses every year.
In fact, DLA Piper’s GDPR fines and data breach survey, launched in January 2021, has reported double-digit growth in both the aggregate value of fines issued and in the number of personal data breaches since January 28, 2020.
Grindr – A $11.7 Million Lesson
Earlier this year, the world’s most popular gay dating app, Grindr, found itself facing enormous fines when it illegally shared private user details with advertisers. The Norwegian Data Protection Authority, an independent body that protects an individual’s right to privacy, said that Grindr shared details such as location and sexual orientation, among other data, with at least five advertising companies, violating portions of the GDPR. In February 2021, the Norwegian Data Protection Authority slapped Grindr with an $11.7 million fine.
Where’s the Disconnect?
Some businesses have stated that the rules and guidelines outlined in the GDPR are too vague and/or complex to implement. Others don’t understand the definition of Personal Identifiable Information (PII), which can change as businesses evolve and new data points are gathered. While most businesses think of PII as primarily name, mailing address, phone number, social security number, and email address, recently the definition has grown to include IP address and social media posts and images, among other things.
As the pandemic continues and consumers get accustomed to online purchasing, more and more data is gathered and stored, and more regulations are introduced. The California Consumer Privacy Act (CCPA) of 2018 was recently deemed too weak to protect individuals, resulting in a second regulation for California: the California Privacy Right Act (CPRA). To date, 128 out of 194 countries have legislation in place to protect data and privacy.
Putting Privacy First
Implementing processes at your own organization to abide by these regulations is the first step, but what about your vendors? How do you ensure your vendors are also abiding by these regulations? Simple—find a vendor risk management platform that maps to any regulatory or internal compliance framework, such as ProcessBolt.
At ProcessBolt, our automated platform conforms to the regulations that govern not only your business but also your vendors. Learn how with a 15-minute demo.