With GDPR and the California Consumer Privacy Act dominating the data privacy conversation, Baker Tilly’s David Ross discusses the myriad benefits of maintaining compliance.
Recently, we saw Google fined $57 million by France in the punishments imposed for violations of the sweeping General Data Protection Regulation (GDPR) legislation passed by the European Union. Fined for not properly disclosing or alerting consumers on how their data would be used, Google’s practices ran afoul of the new data privacy laws enacted in May 2018.
Consumers and corporations alike face unfortunate repercussions when cybersecurity precautions aren’t taken seriously. Gloomy statistics and stories of well-known corporations losing customer and vendor personal information to large-scale data breaches fill the news on a near daily basis. The frequency of data breaches has increased to an unprecedented rate, and the cost continues to rise each year. A study by the Ponemon Institute reports the average cost of a data breach is up 6.4 percent since 2017 to a whopping $3.86 million.
While there is significant press surrounding the fines organizations must pay for breaches and violations, the other less apparent and often difficult-to-quantify costs can be much greater, farther reaching and longer lasting. These may include reputational damage, loss of stock value, loss of current and future customers, class action lawsuits and remediation expenses from breaches such as notification costs or credit report monitoring for affected customers.
Many of these costs can, however, be avoided. Investing time and resources to build a comprehensive privacy program can pay dividends. The more organizations prepare, the better positioned they can be to steer clear of fines, negative press and other organizational challenges.
What Your Organization Can Do Now
The costs of data privacy risks are daunting. With a proactive approach, a concerted upfront investment and the development of a strategic privacy program, organizations will be prepared to prevent data privacy incidents and ensure compliance with privacy regulations.
Regardless of industry, all organizations that process personal data should do the following:
- Review applicable regulations. Evaluate the organization’s industry and data footprint to determine which regulations apply. Some regulations, such as the GDPR, may apply to the organization even if there is no physical presence in the EU.
- Maintain accurate records. Document the data processing activities the organization is engaged in. In the event of a violation, any penalties you face may be lessened if you can demonstrate the steps taken toward compliance.
- Invest strategically in a data privacy program. Prioritize data privacy activities that are easiest to implement and address areas of greatest weakness. Conduct a cost-benefit analysis to evaluate the risks the organization faces and determine the best use of resources.
New Regulations Come with Steeper Penalties
With new data privacy laws like GDPR in force, we’ll see more crack down on offenders. In addition to Google’s fine, the first against a U.S. technology leader, AggregateIQ, a Canadian digital advertising firm, was the first organization outside the EU to receive an enforcement notice on July 6, 2018, after a tip that the organization was using data analytics for political campaigning without user consent.
In September, Facebook reported its largest breach to date. The attack exposed the personal data of 50 million users. Approximately 10 percent of the accounts exposed belonged to European citizens, all of whom qualify as covered under the GDPR. While the organization succeeded in reporting the breach within the GDPR’s required 72-hour window, the case is now under investigation by the Ireland Data Protection Commission. The investigation confirms that simply meeting the reporting requirements is not enough to avoid the scrutiny of the auditors in the event of a breach.
The ability to demonstrate compliance efforts (in conjunction with cooperating with the supervisory authorities) will be essential in order to minimize fines and penalties in the event of a breach. While Facebook is unlikely to be fined the maximum penalty of 4 percent of revenue, it is likely that the fee will be substantial.
Recovery Costs Are Often Worse Than Fines
While the fines of today’s data privacy regulations are harsher than ever before, they are not always an organization’s biggest concern. After involvement with the Cambridge Analytica scandal earlier this year, the U.K.’s Information Commissioner’s Office hit Facebook with a $660,000 fine, which seems miniscule given the scale of the organization. The real blows, however, came later in the form of a loss of 3 million users, more than three dozen class-action lawsuits and a stock market valuation that fell by a staggering $156 billion.
The aftershock of a data breach can be a public relations (PR) nightmare: The larger the breach, the more expensive the recovery. Once technology upgrades are added along with notification expenses and corrective services (such as credit monitoring), the dollars add up quickly. In 2018, Facebook invested heavily into PR campaigns designed to reassure and educate users about data privacy, but not all organizations can afford that level of investment. For many organizations, once a customer’s trust is lost, it may be too difficult or too costly to win it back.
The Unknown Costs of Data Subject Requests
Regulators are not the only ones keeping an eye on data privacy policy. In many cases the data subjects involved, better known as customers and employees, are ready to take control of their data and exercise their new rights. Under the GDPR and the California Data Protection Act (CaCPA), data subjects have the right to know what personal information an organization has on them, take the data with them in a usable format and request it be deleted – all within a short window of time. Data subject requests are time consuming to respond to and can expend significant resources. For some organizations, this process is a nuisance. However, if an organization is targeted by activist groups with a campaign designed to disrupt operations, the bombardment could derail the organization’s objectives.
By developing an efficient process to handle these requests and coupling the process with a sound data strategy – one that deletes data unnecessary to providing the requested services, organizations can decrease risk and create efficiencies that will result in significant savings over time. The first line of defense against baseless data subject requests should be a clear and transparent public message about how the organization collects, stores, shares and otherwise processes personal information. To meet GDPR’s transparency requirement, publicly available privacy policies should be designed to help data subjects feel comfortable doing business with the organization by explaining exactly how and why it is processing their personal data. Establishing this level of comfort or trust can play a large role in customer relationships in the years to come and can help decrease the number of requests in the short term.
The Cost of Losing to Competition
Organizations unprepared to comply with data privacy regulations may fall behind their competition. For example, organizations that prioritize the development of a comprehensive data privacy program also actively evaluate vendor security practices for safety and compliance with regulations. Selecting a vendor that is noncompliant with GDPR is not only a risky move, it may also be a violation of GDPR. Vendors should take steps now to become compliant and avoid losing business to competitors who can already demonstrate compliance.
Investing In Better Training and Data Management Practices Pays Off
Most people assume data breaches are caused by hackers stealing information from the outside the organization; however, according to McAfee, 43 percent of data loss occurs from within the organization. Most of these leaks are due to poor data management practices, inadequate controls, lost equipment and negligence. Incorporating data privacy best practices into employee education and training requires an investment of time and resources, but the investment is well worth the effort. By investing in training and awareness programs and protecting devices with multi-factor authentication or remote wipe features, organizations could reduce the number of in-house leaks by half.