The Price Of Data Privacy: A Look At GDPR Fines And The Costs Of Noncompliance
IN THE HEADLINES
Stories about massive data breaches are hardly news these days, yet reports that the July 2019 breach of a major company exposed more than 100 million customers’ personal information still manage to draw significant attention. At the heart of much of stories like these are concerns over consumer privacy, as well as over financial and brand impacts on organizations that suffered a security breach. On top of that, these events hold the potential for fines imposed by new data privacy regulations.
The best-known of those regulations is the European Union’s General Data Protection Regulation (GDPR). In the U.S., the California Consumer Privacy Act will impose its own GDPR-like regulations on companies’ collection and use of individuals’ data – effective January 1, 2020.
What is often overlooked is that complying with privacy regulations can create opportunity for businesses. “Such compliance can strengthen customer relationships,” notes Vanessa Leemans, chief commercial officer of Cyber Solutions EMEA at Aon. “Public opinion on data privacy is changing, and customers are increasingly placing greater importance on how organizations protect their personal information. Organizations can use regulations to show how much they value customers.”
WHY IT MATTERS
The GDPR sets strict standards for organizations’ collection, use, management, protection and sharing of personal data. Fines for violating the regulation can range from up to €20 million ($22.5 million) to 4 percent of a group’s annual global revenue – whichever is greater.
All businesses that offer goods and services to European residents (or otherwise collect their personal data) will need to follow GDPR, even organizations operating outside of the EU. Notably, the regulation requires organizations to demonstrate their compliance with the regulation and provide individuals with several rights related to their data – including the right to have their data erased.
The EU privacy regulation also necessitates that organizations consider privacy risks in the process of designing new products or services, specifically to ensure that minimal personal data is collected, used and retained. In addition, it requires organizations to notify supervisory authorities within 72 hours of any data breach that puts individuals’ data at risk.
Since going into effect in May 2018, the law has encouraged committed regulators to fine companies for violations – some in the hundreds of millions.
For example, in July 2019, the U.K. Information Commissioner’s Office issued two notices of intent to impose fines: £183 million ($222 million) on an airline company, and £99 million ($120 million) on an international hotel chain.
And under GDPR, fines and other regulatory actions aren’t limited to data breaches: companies have also been fined for inadequate privacy notices or shortcomings in consent-collection mechanisms.
Understandably, the exposure to significant fines for mishandling customers’ data has captured the attention of many company board rooms. For example, at the same time the GDPR fines were announced, the U.S. Federal Trade Commission imposed a $5 billion civil penalty against a social media company.
Organizations should not only comply with regulations but also actively pursue their fulfillment with these courses of action:
• Conduct frequent security audits will help determine the safekeeping of the personal data they hold.
• Develop plans for continuously monitoring and adapting their data compliance efforts.
• Ensure that their contacts with third-party data processors meet at least the minimum standards of the GDPR.
• Include data breach notification procedures in incident response plans and involve all appropriate stakeholders.
“While GDPR has a positive impact on the privacy of EU citizens, there are still concerns about the financial impact to organizations,” says Onno Janssen, chief executive officer of Risk Consulting and Cyber Solutions EMEA at Aon. “Ongoing effort will be required to manage the implications of GDPR. Organizations can protect themselves by taking an enterprise-wide approach to help achieve cyber resilience and meet the expectations of their customers and shareholders.”
For more on GDPR, case studies and lessons learned, see the guide by Aon and DLA Piper, “The Price of Data Security.”