An important part of the TeamMacro TERSM system relates to the European General Data Protection Regulations (GDPR). These regulations became law throughout the EU in May 2018. Although they apply within the EU, they also seek to protect EU citizens from unfair practices related to personal data, wherever those citizens may reside.

The main intent of the TeamMacro TERSM system in relation to GDPR is to readily facilitate the reporting of data breaches across the whole of the enterprise. These reports can then be rapidly routed to the organization's data protection experts, officers, and authorized managers, for a decision about actions to be taken. Reminders and alerts assist in complying with the strict deadlines required by GDPR, especially the 72-hour deadline to notify a breach to the authorities. The system is designed to recognize that a data breach that might be a GDPR issue can emanate from many situations. For example, a theft may be a reported security incident, but in addition, it may have an associated GDPR data breach, for instance if personal data was involved.

The penalties for a data breach can be severe. There have been thousands of GDPR breaches reported (see here for more details), and when fines have been imposed, range per company from a few thousand Euros to multi-millions. For an up-to-date list of penalties imposed refer to the GDPR Enforcement Tracker. The most common types of complaints concerned data processing activities related to telemarketing, promotional emails, and video surveillance/CCTV (as reported by the EU Commission). Complaints were mainly related to the right to access data, the right to prevent processing, and disclosures and unauthorized processing. Data breach notifications seem to be running at about 100,000 per annum, but the rate is increasing. Most fines are relatively low, but there are some notable exceptions. The GDPR authority appears to be placing considerable focus on the data protection principles and, in particular, the GDPR's accountability requirements, observing in a recent public statement that “accountability encapsulates everything the GDPR is about.” That and the relative lack of attention organizations have given to accountability so far is a "problem.” Refer: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/04/data-protection-practitioners-conference-2019/

With TeamMacro TERSM, organizations have the opportunity to demonstrate the urgency, care and attention they are giving to GDPR principles and to make sure that the information associated with a potential data breach is documented and available for reporting to the authorities if the need arises. These factors are taken into account when sanctions are imposed to determine the size of fines. It is important to note that perhaps 75% or more of data breaches are caused by human errors or human-designed process failures. Whist criminal activity tends to get the most press coverage, it is more often negligence or a lack of basic processes, policies and procedures that cause data breaches. TeamMacro TERM GDPR provides a focus for the training and awareness that is essential if organizations are to demonstrate their efforts to comply with this law.

For information on our experience in deploying the GDPR part of TERSM please refer to the attached: TeamMacro GDPR Lessons Learnt from Deployment.

Richard Schneller.