One year on, a collective phew can be heard. The bark of GDPR’s 57,509 weighty words appear distinctly worse than their bite.
The EU’s tough data privacy law may have strengthened individuals’ rights, forced companies to tighten security and report breaches, and introduced higher fines. Yet only a single large fine has so far been issued – to Google France.
So far EU information regulators have been content to beat a pragmatic path, partly as they are overwhelmed by the volume of subject access request complaints and breach notifications, and partly as they continue to focus on legacy cases. They are also currently more focused on encouraging a culture of openness and honesty than enforcement.
However, a string of high-profile breaches at the likes of Marriott Hotels, British Airways and Cathay Pacific has raised further concerns about the extent to which companies are willing or able to protect people’s data and information. And in the process they have added more pressure on EU information regulators to act firmly.
With the prospect of legal actions being taken more seriously, and the possibility of class action lawsuits, some large technology and social media companies are known to be lawyering up.
Against this backdrop, regulators have said they will take seriously anything that puts the twin principles of openness and honesty into jeopardy, and that they are willing to expand investigations beyond assessing cybersecurity governance and controls to testing compliance in areas like technical competence and education and training.
With the GDPR honeymoon period set to end sooner or later, trust and reputation will be central going forward. To secure trust and protect its reputation, every organization must look to develop a culture that ensures compliance, drives awareness of the importance of data privacy amongst leadership, employees, customers and partners, and results in the appropriate behaviors.
Running awareness campaigns and providing regular internal communications updates will be important in this regard, as will employee education and training programs.
Every organization should also think carefully about what it means to create a culture of openness and honesty.
To date, attention has largely been focused on the need for openness about what data is being collected and how it is used, chiefly in the form of data privacy statements.
By nature, data privacy statements tend to be lengthy, verbose and full of legalese, which means they are usually skipped over or simply bypassed. Of course, that suits some organizations well.
However, those in the business of winning trust should ensure they are as comprehensive, clear and accessible as possible. Survey Monkey General Counsel Lora Blum writes compellingly on this topic.
Almost as important is to provide a clear and accessible pathway or set of pathways for data subjects to contact your data protection or privacy officers. Pharma company GSK is a model in this regard. Others provide general guidance on how to stay safe online.
Some companies help the user view and manage their own data. While few hold anything like the amount of information collected by internet and social media firms, Google’s privacy dashboard is a good example of how this can be done.
It is also important to be open about data breaches, which must now be disclosed within 72 hours under GDPR. Given the legal and reputational dimensions of breaches it can be difficult to know what to say when a breach occurs.
In my experience counselling companies before, during and after data privacy incidents (as well as many other types of incidents and crises), the more open, honest and empathetic you appear from the outset the more likely you are to persuade those impacted that you are acting in their best interests.
There are other more strategic ways to convey openness beyond privacy statements and data breaches. Telco firm BT, for example, publishes a quarterly Cyber Index in order to reassure customers they are properly protected against DDoS, phishing and attempted scams on its network.
And any company in the eye of the regulatory or political needle might usefully consider detailing its cyber risk management activities in order to convince regulators and investors of the robustness of their efforts.
Much of the focus on honesty has been on data breach disclosure, particularly on ensuring that breaches and leaks are reported in a timely and forthright manner to regulators and data subjects.
It is not easy knowing what to say about a breach when the facts are only just starting to emerge and the media are breathing down your neck. Cathay Pacific, for example, chose to stay silent about a ‘data security event’ affecting 9.4 million customers for three months, resulting in lawmakers and the media accusing it of orchestrating a cover-up.
By contrast, British Airways disclosed a breach of over 500,000 of its customers’ personal and financial data, including CVV numbers, within hours of its discovery in August 2018. Despite no evidence of fraudulent activity, the airline offered to compensate those involved immediately.
Of course, honesty is not just about breaches. In today’s volatile and skeptical business environment, regulators, customers and other stakeholders expect companies to be as honest as possible about their activities – and their shortcomings – by default.
Needless to say honesty is not something that is always easy or straight-forward, especially given the social, political and legal sensitivities of data privacy. That some aspects of GDPR and equivalent regulatory regimes remain somewhat wooly doesn’t make things any easier.
Nonetheless, as a rule of thumb, the more open and honest you are, and are seen to be, about your data privacy culture, governance and compliance, the more likely you are to win the trust of your customers, employees and investors, and the better disposed regulators are likely to be towards you in the event of an incident or investigation.