Inaction can be devastating. This is as true in an individual’s response to COVID as it is in an organization’s strategy for GDPR compliance. Sandra Erez draws parallels between epidemiological crises and data breaches – both of which can have dire consequences.
Fear is a great motivating factor for people to start complying to previously ignored rules and regulations – whether that applies to COVID-19 or GDPR. Take for instance the increasing number of non-mask believers suddenly donning masks following spiking numbers of COVID-19 deaths in their area. Like most of us not believing authorities’ dire predictions until they hit home, people still tend to be reactive rather than proactive – and even more so when an ongoing situation is rife with uncertainty.
The story of GDPR preparedness seems to follow a similar path. Although introduced in May 2018, with no dearth of heavy fines hitting businesses, there are still an overwhelming number of EU, U.S. and U.K. businesses that are not fully GDPR compliant – and some that haven’t yet begun their GDPR initiatives.
Like COVID-19, GDPR doesn’t seem to be going away anytime soon, although some businesses would probably like it to. So why, after more than two years, are so many organizations unable to rise to the challenge?
GDPR is a Hard Act to Follow, and it is Contagious
Since it came into force in 2018, GDPR has caught on around the world like a highly contagious virus. And as more data privacy regulations pop up (e.g., California Consumer Privacy Act (CCPA), Brazilian General Data Protection Law (LGPD), India Personal Data Protection Bill, Chile Privacy Bill Initiative, New Zealand Privacy Bill, etc.), germinate and spread across the world, organizations are increasingly becoming unsure of how to proceed. The complexity of an ever-expanding global regulatory framework has become too overwhelming for businesses who don’t have proper tools and strategies in place. It is obvious that the difficulty in understanding the legislation and knowing when and how to report and deal with incidents has been a deterrent for organizations wanting to meet the GDPR compliance challenges, and it is severely undermining their confidence in their ability to do so.
Meanwhile though, no one is cutting those unprepared companies any slack; in the first 10 months of 2020 alone, the EU authorities stepped up on noncompliant businesses by giving out 220 GDPR-related fines. In fact, from June 2019 to June 2020, 260 percent more fines were handed out per month compared to the same period the year before – a clear indication of a continuous upward trend.
Fear of Flying During COVID-19
Beware: In case you thought COVID-19 might be a nice excuse to give to the local data protection authorities (wherever you are) when they rudely knock at your front door, don’t count on it. Although British Airways is already incurring huge losses from COVID-19 travel fallout, they were just slapped with a fine of £20 million for a 2018 data breach that had exposed the data of over 400,000 customers. Undetected for two months and caught only by a third party, the breach, which exposed personal data like employee login credentials and credit card information, caused tremendous harm to BA’s reputation.
So, watch out: Although a recent ICO decision reduced the original fine down from £184 million to £20 million (owing to BA’s COVID-19 business losses, combined with improved security solutions now in place), no one can get complacent. This breach was considered a severe failing because of the number of people involved without taking into account the potential class-action lawsuits that might follow.
Unmasking Data Privacy Legislation: Come Out, Come Out Wherever You Are
For many nations, EU’s GDPR is a lantern of light in a data-dense, dark-web world. Chances are that no matter where you do business right now on this earth, data privacy is on its way to becoming recognized as a fundamental human right not to be violated.
American citizens, not to be surpassed by their European big brethren are also clamoring for increased legislation to be added to the existing federal and state data privacy laws. Despite the havoc wreaked by COVID-19, which put the brakes on passing data privacy bills this year, people are tired of big corporation data abuse. More than 30 states have put forth bills for consideration in 2020 alone.
Other U.S. lawmakers, impatient with the current, ineffective consent model are calling for stricter measures on a federal level. Senator Kirsten Gillibrand (D-NY) proposed the formation of a federal data protection agency paralleling the EU’s GDPR body, while Senator Sherrod Brown (D-OH) proposed a Data Accountability and Transparency Act of 2020 (DATA 2020), which would create a new independent agency that can hold corporations responsible for violations.
In that not-so-futuristic scenario, an organization’s data collection algorithms would need to be submitted to the data agency in exchange for an approved corporate compliance certificate. Authorities enforcing those laws will have the technological means to see through the previously opaque screen of company data collection and usage and punish those errant organizations with civil penalties.
Waiting in the White House Wings
If these bills pass their clinical trials on the polished floors of Congress, the winds of change will not only ruffle the corporate masks, it will blow them off shamed corporate faces, leaving them unprotected from the virulent wrath of the law and consumers.
And unfortunately for the data abusers, there is no vaccine in waiting in the White House wings to cure those ills. Even drinking bleach won’t work.
What Goes Around Comes Around
Gradually – and perhaps grudgingly – we must internalize that any of us could be the next target of a data breach investigation. It’s time to weigh the risks and make the investment in having the right paraphernalia for meeting the data privacy challenge and doing the right thing for everyone involved. Slapping on the mask after those invisible particles – be it data or viral – circulate around the globe is not going to stop you from becoming known as a careless super spreader of someone else’s personal data. You have been warned.