It’s time to wise up on Data Privacy regulations and how they affect your organization
Having spent over 45 years in the IT industry, I am well used to the fact that issues that are critical one day become commonplace the next. There is a high pace of change in technology, but us poor humans can be slow to adapt. And then one day what used to be very surprising is commonplace, the new normal.
A couple of years ago a colleague of mine, another veteran and road warrior, was appalled by the emergence of GDPR. “Why would the Europeans introduce such restrictions on data use…? They will never fine anyone!”
He owes me an expensive steak dinner from that bet. In the last few weeks we’ve seen big fines under the GDPR regulations for British Airways (£183m) and Marriott (£99m). But perhaps more significantly, various US agencies such as the Federal Trade Commission and the Consumer Financial Protection Bureau have levied penalties of over $1bn in the last 18 months, the biggest fine being at Equifax, who will have to shell out a minimum of $575m.
“It is estimated that the average cost of a data breach will be over $150 million by 2020, with the global annual cost forecast to be $2.1 trillion. It is estimated that in the first half of 2018 alone, about 4.5 billion records were exposed as a result of data breaches. In 2019, a collection of 2.7 billion identity records, consisting of 774 million unique email addresses and 21 million unique passwords, was posted on the web for sale”.
As I say, what was once a surprise, even a shock, is now commonplace.
In passing, if you are interested in how the IT industry has aided and abetted the exploitation of our personal data for profit, have a look at the Netflix documentary “The Great Hack”. The growth in this industry isn’t all down to hacking and lax security; at least one company has built a business on monetizing your personal data. That is Facebook of course.
The big question is – what happens next?
On the one side I see businesses scrambling to implement proper processes and controls on their customer facing systems. But in addition, I am now finally seeing businesses in North America waking up to data privacy legislation, and to the fact that they need tools and processes. Whether we like it or not, Data Privacy has finally arrived as an issue in the United States of America.
However, I’m still appalled at the lack of awareness, as there’s already a lot of Data Privacy legislation that affects US companies. Apart from GDPR, which affects any organization which holds data on EU citizens, the California Consumer Privacy Act is due to come into force on 1st January next year. Canada already has the Personal Information and Electronic Document Act. These regulations are all different, but if you trade in these territories, you need to know how they affect you.
In summary, Data Privacy is now a hot topic, and we all need to take notice. The human side needs to catch up with the technology.
As a starter, let me give you a few important pointers to how to come to grips with Data Privacy. Your company is almost certainly putting in place proper security around your systems, running penetration testing, and using tools and expertise to ensure your company is not the next one in the headlines. I hope so anyway.
But personal data privacy goes beyond these critical steps, you also need to be able to answer the following key questions
- What personal data do we hold and where is it held?
- Is it secure, i.e. do you know who can access that data, and that they only do so on a “need to know” basis?
- Do you have a process in place to answer an enquiry from an individual about what personal data you hold?
- Are you able to erase all personal data relating to an individual who requests you to? The rights granted to individuals over their personal data vary, so you need to know which rights are relevant in each jurisdiction that affects you.
- Do you have the necessary tools, policies and procedures in these areas?
Technology marches forward at a headlong pace, but the processes and the human beings involved in this change struggle to keep abreast. Data Privacy and Data Security aren’t the most exciting areas, but you need to invest in catching up.
It often isn’t easy to convince the CFO to invest in processes around these kinds of areas. But just give him the figures and explain that without the investment he needs to be ready for those $100m fines and the loss of belief in your brand. And who knows what will happen to the share price and your job prospects?
Please educate yourself now, before it is too late.
Q Software will be attending the InFocus conference in Denver and presenting on GDPR and Data Privacy on August 20th. Find more information about that here.