We’ve all seen the horror stories about data breaches in the news — and of course, most organizations think it can never happen to them. Yet the reality is one in four organizations will experience a data breach this year, meaning this isn't an issue that can be avoided. If information and data truly are the new oil, isn’t it time we started treating them accordingly? A small leak from an oil tanker can have disastrous effects. The same principle applies to data.
The key to being able to implement a strong privacy ethos is to understand the entire landscape — the information that needs to be secured, the processes that use that information, and the non-compliance consequences that will be levied against organizations that fail to adhere to regulations for protecting the personal data of their customers. And it is with those privacy legislations that many organizations need to begin.
Setting the Stage: GDPR and CCPA
Launched on May 25, 2018, the EU General Data Protection Regulation (GDPR) created a push for better transparency, user control and accountability of the management of and security around personally identifiable information (PII). Despite being a European-driven initiative, the regulation applies to the gathering, storage, processing and management of the data related to any EU-based citizen — meaning any U.S. organizations who sell goods or services to European citizens, employ European staff, or have dealings with European companies all fall under the gaze of the legislation.
The GDPR regulation was closely followed by the California Consumer Privacy Act (CCPA), which became the first U.S.-based privacy law when it came into force on Jan. 1, 2020. The CCPA focuses on the rights of California residents and offers protection regarding their personal information, and places various data protection responsibilities on those conducting business in California.
CCPA and GDPR are significant regulatory milestones illustrating that we’ve reached a new era of data privacy. But what do the regulations — and others either in effect or coming into effect — look to protect, and what are the implications of failing to comply?
Related Article: Could California Become an EU Data Privacy Darling?
The Downside of Getting Data Privacy Wrong
Before exploring how to implement a data privacy initiative, it is important to understand the potential effects of not making the effort. Both CCPA and GDPR impose financial penalties for failure to comply with varying size and scope.
GDPR has been in effect for longer than CCPA, and already has notable examples of enforcement, including:
- Hotel chain Marriott International, which in 2020 paid $23.8 million in fines for a data breach in 2018.
- Clothing retailer H&M, which in 2020 paid €35.3 million (over $41 million) for illegally surveilling employees at its Nuremberg office in Germany.
We are still waiting to see the first serious CCPA cases come to pass. However, of interest is the way CCPA fines can be leveraged. With a penalty of up to $7,500 per consumer, the potential financial consequences for large organizations with millions of customers are considerable. We're watching the currently active cases against well-known corporations such as Amazon, Zoom and TikTok with considerable interest.
However, the financial penalty isn't the only downside of getting data security and privacy wrong. Potentially far more wide-reaching impacts could be seen from damaged reputations. Organizations called out for being unable to protect personal data will make customers, suppliers and investors think twice about working with them.
Related Article: Alphabet Soup: Clarifying GDPR/CCPA and What You Can Do to Prepare
5 Steps to Start (or Reignite) Your Data Privacy Implementation
The road to implementing successful data privacy is straightforward. As with all large initiatives, key factors include breaking the problem down into manageable pieces and, most importantly, starting the work now. The five steps below provide a starting point to getting a data privacy initiative moving (or re-ignited).
1. Audit Systems
Identify precisely where all customer and employee data is stored within all of your systems. Remember that CCPA and GDPR have different definitions for which information is regulated, so you should work against both regulations for the greatest coverage.
2. Audit Processes
Identify how personal data is processed, where it enters the organization, what processing occurs, and where it exits the organization. Note: both CCPA and GDPR make allowances for the processing of anonymized data but have differing guidelines for deidentified, pseudonymous, and aggregated data.
3. Address the Regulation
No matter how complex, you must create processes, procedures and structures to show that you are addressing the regulations that apply to your organization. The first renderings of this may not be perfect and may require some updates as you go, but doing so is vital in order to determine how to measure progress.
Related Article: Let 'Ethical by Design' Guide Your Use of Consumer Data
Data privacy is too often only talked about when breaches or fines occur, but proactive communication about data privacy can have positive benefits for employees and customers alike. Share details about how your organization is managing PII, why you are doing it, and how customers, staff, and partners can help. Should you experience a data breach at some point in the future, at least your data subjects will know that you were as best prepared as you possibly could be.
5. Rinse and Repeat
The recognition that data privacy is not a project, but a process, is critical to success. Once a privacy and security plan has been put in place, it needs constant measurement, review, adaptation, and refinement to remain relevant. Data breaches can come from numerous internal and external sources. The threat is both constant and continuously changing, and your resilience and preparation against the threat needs to be equally vigilant.
Look for the Silver Lining
As our world becomes increasingly digital, the need to protect personal data grows in parallel. From ensuring the safety of our children online to carefully controlling access to sensitive healthcare information, data security and privacy is a critical concern for us all.
From the perspective of enterprises, managing the security and privacy of customer data is not only a compliance issue but also an ethical duty.
But instead of focusing on the negative aspects of data breaches, it is time to commit to the positive upsides that come from effective data security, privacy and good governance. Proactive action and the application of measured risk management tactics (such as those described above) can help organizations go beyond simply avoiding fines, negative PR, and overall business disruption that a data breach brings with it. Positive data privacy that shows the benefit of strong information governance can create a huge feeling of trust, goodwill and respect among a company’s many stakeholders.