For decades, we’ve all given up our phone numbers, addresses, and other personal data in the name of free email services, social networking sites, and special offers from retailers. But over the past 20 years, that consumer data has been collected, used, and sold to create some of the most profitable companies in the world—think Google, Yahoo!, Facebook—with little oversight into how data is exploited and few mechanisms for recourse when they are.
That began to change in 2016, led by the European Union and the General Data Protection Regulation, or GDPR. The regulation was the first to contain provisions and requirements related to the processing of personal data, and many countries are beginning to follow suit. After decades of companies collecting, sharing, and selling data with little supervision, and two years of preparation by companies and government agencies to drive enforcement, what has been the impact?
Fines and judgments for violations tell only part of the story. While most fines have been in the low five figures—such as €5,280 to a sports betting café for unlawful video surveillance and €20,000 to a social network operator for failing to secure users’ data—on Jan. 21, 2019, French data regulator CNIL imposed a record €50 million (USD $56.8 million) fine on Google for breaching the GDPR. The judgment claimed Google had failed to sufficiently inform users of its methods for collecting data to personalize advertising.
In the most substantial judgement to date, British Airways was fined £183 million (USD $228 million) for leaking the personal data of 500,000 of its customers in 2018. The company suffered a vulnerability in third-party Javascript used on the website and was exploited by Magecart. The fine was equivalent to 1.5 percent of the company’s global turnover. The second-largest fine was assessed against Marriott, fined £99 million (USD $124 million) for exposing a variety of personal data in 339 million guest records.
Global companies such as British Airways and Marriott can often recover from financial loss, but the loss of reputation and public confidence goes far beyond regulatory fines. For smaller companies, the impact of non-compliance could be that they go out of business. Non-compliance costs include those associated with business disruption, productivity losses, fines, penalties, settlement costs, and technical development.
As GDPR authorities continue to ramp up enforcement and fines, the bigger challenges for businesses will be in their own internal processes and people. To reduce risk, any company with UK and EU consumers should:
- Develop a culture of data privacy – create an atmosphere of data privacy and protection
- Establish a data management priority – make clear the value and importance of controlling consumer data as the lifeblood of an organisation
- Define third-party risk mitigation strategies – understand exposure from third-party data controls and evaluate vendors and service providers
By strategically managing GDPR compliance, companies can also build value propositions around data enablement, process optimization, and risk reduction. Investment in technologies such as data loss prevention, managed file transfer, data classification, or governance, risk, and compliance solutions can vastly reduce the chances of being fined by regulators.
Finally, organisations can focus on one area that requires little investment while reaping huge dividends: better enforcement of current data protection policies. By making everyone aware of how data should be handled, stored, shared, or deleted—and enforcing those policies through clear communication, gamification models, or progressive mentoring—companies can not only reduce risk, they can also be prepared to show internal compliance efforts in the aftermath of a breach.
Discover how Armor Automated Security and Compliance provides industry-leading cloud security posture management (CSPM) capabilities to continuously discover, assess, and report on security and compliance controls in place across your public cloud environments.