The General Data Protection Regulation (GDPR) marked a stake in the ground when it comes to data privacy, redefining our understanding of the value of the data organizations hold on us as citizens as well as what should be done to protect it. The legislation has been in effect for more than a year. The fines generated under it are not only reaching high sums but the frequency of organizations being fined is also on the rise, from tech industry giants, such as Google, which was hit with a 50 million euro fine by the French government for lacking sufficient transparency in some data gathering practices (the company is appealing), to smaller more specific violations, such as a Polish data processing firm which faced a 220,000 euro penalty for dubious marketing initiatives. Other instances are even more emotive, with a Portuguese hospital being fined 400,000 euros for allowing its staff to illegally access patient records. Most recently we’ve seen British Airways hit with a £183 million fine and Marriott nearly £100 million from the Information Commissioner’s Office (ICO).
Being fined for a GDPR violation is not only a financial matter, either. Once made aware of a breach, firms need to disclose it to relevant supervisory authorities within 72 hours. While it’s good that consumers are kept abreast of whether their data may have been compromised, this also leads to significant reputational damage following a breach. It’s worth noting that GDPR applies to any firm, regardless of its geographical location, holding EU citizen data or operating within the EU.
Learning from Europe
GDPR has been discussed, debated and argued for years. Indeed, there were a number of regulations implemented before the GDPR came into force; for example the Data Protection Act in 1998. It would therefore be reasonable to say that this legislation wasn’t a surprise and companies should have been taking a look at the way they handle of data many years ago.
But the mounting fines across Europe tell us a different story. While many may have made some efforts to protect data and implement processes and technologies to secure it appropriately, clearly not enough has been done. What’s more, as the ICO in the UK and CCPA in California, for example, hit their stride, increasingly more companies are likely to fall foul of the legislation.
Embracing the culture shift
Taking measures to comply with GDPR is extremely important and should be considered as a best practice minimum, regardless of whether EU citizen data is being handled. Going one step further, however, is to embrace the cultural shift towards data privacy that GDPR embodies, and there are a number of advantages to doing this.
First, consider security. GDPR pushes us to do more to protect our data—and that’s a great thing. More security at multiple layers within the security stack—including some areas that have long been neglected—is a huge benefit for the operation overall. Take the network layer, where greater monitoring at the Domain Name System (DNS) level can provide unique insights into malware and other unwelcome visitors to the network. This allows enterprises to react faster and minimize potential damage.
Second, a greater awareness around the importance and value of data is driving consumers to care more about how their data is used. Research indicates that consumers will share more data which could help targeted marketing efforts, for example, if they believe their information will not be abused. There’s also the risk that consumers may not consider engaging with you at all if your company is known to have misused data. Consequently, organizations with a reputation for good data handling can gain a serious competitive advantage.
Finally, it’s important to acknowledge that there’s an emerging generation of businesses who understand how valuable data is and the importance of protecting it. In the B2B universe, supply chains are tightly scrutinized through security credentials, and vendors are chosen or rejected because of their security policies and track record.
U.S. enterprises need to make this pivot before they’re forced to. It’s not only about ensuring compliance with the next regulation, or the one after that. Trying to stay on the right side of mandates and avoid fines is a strategy, but very short-sighted. Companies should instead implement stronger security protocols, abandon old business practices and take on a new way of doing business that embraces data privacy. By embracing this cultural shift, they will secure the infrastructure, deepen customer loyalty and boost the bottom line.