Beyond GDPR: Data Privacy And The Increasing Cost of Security
In today’s connected world, a local issue can very quickly become a global one.
Take, for example, the European Union’s General Data Protection Regulation (GDPR), which came into effect on May 25, 2018. Its aim is to protect European citizens’ personal information by simplifying the regulatory environment and bringing together the EU’s cybersecurity regulations. However, the effects of this law, and its cost of compliance, extend beyond Europe’s borders, with potential fines to companies based in the U.S. estimated to be more than $9 billion within just one day of the regulation going into effect.
With the world’s markets now just a click away for many customers, how can organizations make sure they’re following the letter of the law wherever they do business?
With so many of our daily activities conducted online – from shopping to banking, and even paying our taxes – user data is increasingly passed through systems and likely across countries. To protect customers’ personal data, every company handling and processing data – no matter where they’re based – must adhere to foreign laws and regulations.
And as the recent fines with GDPR alone show, noncompliance has a cost. Vanessa Leemans, chief commercial officer, Aon Cyber Solutions EMEA states, “data privacy related regulations provide organizations with the opportunity to reinforce their role as responsible stewards of personal information.” As stewards of this information, they can begin to craft innovative privacy policies to better protect customer data “that reflect the constantly evolving needs of digitization.”
The following examples detail some of the recent regulatory and legal changes and their impact.
New York Department of Financial Services (NYDFS or DFS)
Consider, for example, Company X, a multinational financial services firm headquartered in New York which regularly processes massive amounts of their customers’ personal information. As responsible stewards of this data, Company X is obligated to protect all personally identifiable information. According to local law 23 NYCRR 500, if a data breach occurs, Company X is required to contact the Department of Financial Security (DFS) within 72 hours.
Since March 1, 2017, this deadline has been in effect for all financial services companies – from banks to insurers – licensed by the DFS. Companies can no longer wait months to go public with news of a breach. Companies that wait to make the legally mandated notifications of breaches can be penalized by up to $75,000 per day. However, the regulation is not limited to businesses conducting business while in New York. If Company X is headquartered in New York and has offices in other cities – or even other countries – and systems are breached outside of New York, they will also have to adhere to the same DFS regulations. Financial Institutions Practice Leader, Jackie Quintal states, “Because you just have to do business in New York without necessarily being domiciled there means that this regulation can impact almost anyone.”
In addition, entities covered by the NYDFS must do the following:
• Maintain a documented, risk-based cybersecurity program
• Implement and maintain a cybersecurity policy
• Establish a written cybersecurity incident response plan
The EU’s General Data Protection Regulation (GDPR)
GDPR was enacted to allow individuals to control their personal data, both inside and outside the EU. Any company – regardless of location – found to be improperly handling the information of an EU citizen, can face a fine of up to €20 million ($25 million), or up to 4 percent of annual worldwide turnover, whichever is greater. In addition, GDPR’s comprehensiveness extends to the rights of customers, allowing them to view their personal records, see how they are being processed, obtain any copies of records, and maintain the right to erase them – under any circumstances.
This inclusiveness means that businesses such as Company X, which is located in New York, and has customers in the EU, would have to adhere not only to DFS regulations but also to GDPR.
Compliance with GDPR requires the following:
• Improved transparency and notification of data collection
• Clear consent about data collection and use of data
• Portability of data including the ability to move data to another controller
• Erasure of data, including permanent removal of data
• Notification if a breach occurs
Brazil’s Data Protection Bill (PLC 53/2018)
“Public opinion on data privacy is changing rapidly, and customers are increasingly demanding about how a company should protect their personal information,” says Patricia Godoy Oliveira, legal and compliance officer at Aon Brazil.
After nearly 10 years of contentious debate, the Brazilian Data Protection Bill (PLC 53/2018) was approved by the country’s government on May 29th, 2018, and will go into effect in early 2020.
PLC 53/2018 applies equally to both the private sector and the government, which is the largest collector of personal information in Brazil. In addition, the bill introduced an independent and empowered enforcement mechanism and included biometric data such as fingerprint data or facial images, among other classifications of customer data.
Similar to GDPR, the Brazilian Data Protection Bill will apply to local companies as well as companies that operate outside of the country but still process data from Brazilian citizens. Thus, in the case of multinational Company X, even though it is based in New York, if it processes personal information from Brazilian customers, it is beholden to PLC 52/2018 requirements.
Noncompliance can result in fines of up to 2 percent of revenue or R$50 million ($12 million) per infraction.
Compliance with PLC 53/2018 requires the following:
• The establishment of a national data protection authority
• Individual businesses must appoint a data protection officer
• Free, informed and unequivocal consent given by the customer
What’s On The Horizon?
According to Aon’s 2018 cybersecurity predictions report, organizations experience difficulty keeping pace with an increasingly complex regulatory environment. Adding to the complexity is the process of translating complaints into fines that are continuously refined.
New laws related to data protection, corporate accountability and subsequent compliance to ensure enforcement will continue to evolve over time. And countries and governments looking to better protect the rights of customers will need to continually address the rising costs of compliance and data protection.