GDPR marked a stake in the ground when it comes to data privacy, redefining our understanding of the value of the data organizations hold on us as citizens, as well as what should be done to protect it. The legislation has now been effective for more than a year and the fines generated under it are not only reaching high sums, but the frequency of those being fined is also on the increase.
From tech industry giants, such as Google, which was hit with a €50m fine by the French government for lacking sufficient transparency in some data gathering practices (the company is appealing), to smaller more specific violations, such as a Polish data processing firm which faced a €220,000 penalty for dubious marketing initiatives. Other instances are even more emotive, with a Portuguese hospital being fined €400,000 for allowing its staff to illegally access patient records. Most recently we’ve seen British Airways hit with a £183m fine and Marriott nearly £100m from the Information Commissioner’s Office (ICO) following the GDPR breach.
Being fined for a GDPR violation is not only a financial matter, either. Once made aware of a breach, firms need to disclose it to relevant supervisory authorities within 72 hours. While it is good that consumers are kept abreast of whether their data may have been compromised, this also leads to significant reputational damage following a breach. It’s also worth noting that GDPR applies to any firm, regardless of its geographical location, holding EU citizen data or operating within the EU.
Learning from Europe
GDPR has been discussed, debated and argued for years. Indeed, there were a number of regulations implemented before the GDPR came into force; for example the Data Protection Act in 1998. It would therefore be reasonable to say that this legislation wasn’t a surprise and companies should have been taking a look at their handling of data many years ago.
The mounting fines across Europe tell us a different story. While many may have made some efforts to protect data and implement processes and technologies to secure it appropriately, clearly not enough has been done. What’s more, as the ICO in the UK and CCPA in California, for example, hit their stride, increasingly more companies are likely to fall foul of the legislation.
Embracing the culture shift
Taking measures to comply with GDPR legislation is extremely important and should be considered as a best practice minimum regardless of whether EU citizen data is being handled. Going one step further however, is to embrace the cultural shift towards data privacy that GDPR embodies, and there are a number of advantages in doing this.
First, consider security. GDPR pushes us to do more to protect our data – and that’s a great thing. More security at multiple layers within the security stack, including some areas that have long been neglected, is a huge benefit for the operation overall. Take the network layer, where greater monitoring at the DNS level can provide unique insights into malware and other unwelcome visitors to the network. This allows enterprises to react faster and minimize potential damage.
Second, a greater awareness around the importance and value of data is driving consumers to care more about how their data is used. Research indicates that consumers will share more data which could help targeted marketing efforts, for example, if they believe their information will not be abused. Also, there is the risk that if as a company you’re known to have misused data, consumers may not consider engaging with you at all. Consequently, organizations with a reputation for good data handling can gain a serious competitive advantage.
Finally, it’s important to acknowledge that there’s an emerging generation of business who understand how valuable data is and the importance of protecting it. In the B2B universe, supply chains are tightly scrutinized through security credentials, and vendors are chosen or rejected because of their security policies and track record.
U.S. enterprises need to make this pivot before they’re forced to. It’s not only about ensuring compliance with the next regulation, or the one after that. Trying to stay on the right side of mandates and avoid fines is a strategy, but very short-sighted. Companies should instead implement stronger security protocols, abandon old business practices and take on a new way of doing business that embraces data privacy. By embracing this cultural shift, they will secure the infrastructure, deepen customer loyalty and boost the bottom line.