When the GDPR came into force in 2018, one of the biggest questions on everyone’s mind was, “What will enforcement look like?” With the first major fines issued in July to British Airways and Marriott International, we now have an answer. The UK Information Commissioner's Office (ICO) announced its intention to impose a massive $183.39M GBP penalty on British Airways and $99M GBP against Marriott, both for data breaches each company reported in 2018. The message to businesses is that if you fall short of your data protection obligations, you can no longer expect to avoid significant fines.
Fines resulting from EU privacy violations used to be so small that companies could afford to continue doing business with little regard for privacy compliance and not risk much. Now that hefty fines are being announced, companies need to take note. As we examine the changing data privacy landscape, we come away with lessons for businesses on what they can do to prevent similar problems, as well as how to implement data privacy policies and practices that build and maintain customer trust and produce exponential mutual value for both the brand and its customers.
The Changing Data Privacy Landscape
As I’ve discussed in other forums, GDPR has changed how companies around the world do business in the EU and beyond. Prior to GDPR, companies with no physical presence in Europe could operate with little or no regard to EU privacy requirements since the reach of enforcement was limited, and potential fines low. The GDPR has forced companies not only to take notice of EU requirements, but to actively enact and enforce those requirements in their own operations; often at great expense.
Thousands of companies have hired data protection officers, created complex data flow maps, implemented data subject access processes across dozens of disconnected applications, and made significant upgrades to their data security and privacy operations. Businesses will need to closely monitor these rapid changes in the regulatory landscape and adapt accordingly, which means that the concept of one-off privacy compliance activity is a thing of the past. Privacy and security programs will continue to mature and gain traction within organizations as a central, critical component of business operations.
GDPR has also dramatically changed the public’s view of data privacy rights. Individuals now expect to receive the same level of transparency, data access, and control rights as those contained in GDPR and regulators around the world are facing significant pressure from their constituents to enact GDPR-like data privacy legislation in their own countries. The U.S. will see new data privacy laws come into effect in Nevada on October 1, 2019 and in California on January 1, 2020.
Lessons Learned
- These fines tell us, first and foremost, that the ICO is acutely aware of the precedential value of these decisions.
- The ICO’s proposed fines highlight the reality that data protection will rightfully be the most critical factor in determining a company’s fate in the event of a breach.
- Failure by a company to adequately protect their systems and their customers’ sensitive personal data leads to not only financial but reputational loss.
- Focusing on the implementation of appropriate, evolving defenses in a manner that is proportionate to the nature of data collected and defensible in the eyes of regulators must be at the forefront of every organization’s strategy.
- A great breach response is as essential as ever, but will not be sufficient cover to avoid a significant financial penalty.
- Performing sufficient security due diligence during the M&A process is critical.
When consumers put their trust in a brand and provide it with their sensitive information, that trust must be respected with proportionate and adequate defenses. All organizations that process personal data must prioritize data protection and ensure that appropriate resources are assigned to the creation, maintenance, and constant improvement of security and privacy practices. Failure to do so will make it difficult, if not impossible, for organizations to avoid regulatory fines when things go wrong.
The ICO’s Elizabeth Denham reinforced this point in her statement regarding the fines saying, “People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Significant fines are not limited to the EU. The US FTC has just issued a $5B USD fine, the largest ever fine for privacy violations. Fines under California’s CCPA and Nevada’s new consumer privacy law are also likely to outpace those we’ve seen in recent years. But data privacy isn’t just about regulatory compliance. As businesses audit their data privacy protocols and processes to comply with existing rules and implement consent-based data collection, they will be better prepared for what’s coming. Perhaps more importantly, they will also bridge the gap between personalization and privacy to help build and maintain the trust of their valued customers.
Data Privacy and Security Checklist
- Cover the basics. As reported in the media, some of the issues giving rise to fines occurred because websites were not protected against common web application security risks, which led to the injection of unauthorized scripts. Companies must constantly improve the protection of their web sites and applications, starting with the most common risks, to help reduce the likelihood of such attacks.
- Be diligent. Another issue cited in the recent announcements is the importance of performing adequate due diligence of acquisition targets. Your security perimeter extends beyond the boundaries of the networks your company directly controls and this advice should therefore extend to your vendors and partners.
- Be prepared. No company is perfect, regardless of how many resources they assign to security. Things can and will go wrong eventually. If you suspect any data compromise, a prompt and robust breach response is vital. This includes quickly and accurately informing customers and regulators of what happened what steps your company is taking to reduce harm, what steps customers can take to protect themselves, and what you are doing to protect the data still under your care. While it might be tempting to hide or delay reporting an incident for fear of financial or reputational damage, an open and honest response not only promotes trust and transparency with customers, it also potentially limits the impact on those affected. It also demonstrates that your company is pursuing a notification process aligned with GDPR and other data privacy regulations.
What Do You Think?
Is your business putting mechanisms in place to protect your customers’ data in ways that will earn and build trust? Click the social icons to share this post and your thoughts on the lessons you’ve learned through the evolving data privacy compliance process.