We are starting to approach the one-year anniversary of the European Union’s General Data Protection Regulation (GDPR) launch and, so far, most companies have been spared the worst the new law has to offer. Specifically, that would include fines up to €20 million or a whopping four percent of the prior year’s worldwide revenues, what the GRPR refers to as “worldwide turnover.” This is expected to change, however, as cases wend their way through the courts, precedents are set and the law matures.
The way companies are reacting varies depending their exposure. Obviously, EU-based companies have little choice but to have their houses already in order. Many already were somewhat compliant due to existing EU regulations. Companies outside of the EU that do business with EU citizens or with little presence on the continent have a choice: They can wait and see what happens as the GDPR winds its way through the courts and then decide if the cost of compliance is worth it or, as some already have, pull out of the EU market all together. Or, of course, they can take their chances that they will be just a tree in the forest, invisible to the regulators so long as they have no serious breaches. That approach potentially has serious flaws. Given that data privacy regulations are gaining steam all over the globe, neither of these options is considered a best practice by those advising firms about GDPR compliance.
New regulations on the way
“Many companies recognize now that GDPR is a forerunner of a broader global effort regarding more strict and demanding rules regarding privacy,” says Todd Hinnen, a partner who heads up the National Privacy and Data Security practice for the Seattle-based international law firm Perkins Coie. Prior to Perkins, Hinnen worked a prosecutor in the computer crimes division of the Department of Justice and the National Security Council during the George W. Bush administration. “Companies will have to come to the realization that the way in which they process personal data will be heavily regulated.”
The State of California, for example, passed a set of data privacy regulations in 2018, the California Consumer Protection Act (CCPA), which goes into effect on January 1, 2020. It also appears action at the federal level — given the high-profile security breaches of late including Facebook and Cambridge Analytica, Equifax, the Democratic National Committee (DNC), Marriott, and many others — to further strengthen personal data privacy might be forthcoming. According to Elliot Rose, head of cybersecurity practice at London-based PA Consulting, the California’s law is even more restrictive in some areas than the GDPR.
California is not alone in passing some sort of privacy law. More than 20 states have internet-related privacy laws about use of government websites, children’s data, email monitoring and access, or false and misleading privacy policies.
Nearly a quarter of the world’s countries, 45 of the 195 recognized by the United Nations, currently have laws regulating how personal data can be used and more are coming. Brazil recently enacted a data privacy law based on the GDPR. India drafted a similar measure in 2018. “China has stepped into the ring as well,” says Rose, “so all kinds of players around the world are getting involved.”
This means companies of all sizes will have to begin safeguarding personal data in ways that will be new and burdensome for many, but not without precedent. In the U.S., both the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) present stringent personal data protections for companies in the healthcare and financial services sectors, respectively. Regulators such as the Federal Trade Commission (FTC) also hold companies to account for data privacy violations. So there are best practices and road maps to follow for understanding how to go about setting up a rigorous compliance practice in your organization.
“If you’re a U.S. company that was HIPAA compliant or [Payment Card Industry Data Security Standard (PCI DSS)] complaint or GLBA compliant, certainly you have a leg up because those regs have been in place for 20-plus years in the U.S.,” says Dan Frank, the Privacy and Data Protection Practice leader for Cyber Risk Services at Deloitte and Touche in New York. “However, HIPAA and GLBA are not GDPR.”
What Frank means is, as always, the devil is in the details. GDPR has four provisions in particular that might be the most difficult for most companies to meet. This is not only because data is everywhere inside of an organization (called the “controller” in GDPR parlance), but because it is often shared with third parties (called the “processors”) that might, in turn, share it with their third-party service providers. These are the provisions that become problematic for some companies:
• Right to Erasure, unofficially known as the right to be forgotten, where companies, in certain circumstances, must erase all the personal data they have on the requesting individual;
• Right of Access, where companies have to report, upon request, what data they have on an individual, how it is being processed, where it is stored, and a host of other information about its usage;
• Right to Data Portability, where organizations must provide customers with a portable data file of all of their personal information so the customer can switch service providers. An organization must also transmit this data, upon request, to another organization or company in the event the customer wants to switch providers.
• 72-hour notification, where the organization must report to the supervisory authority a breach of any personal data within 72 hours of becoming aware of the breach.
“The hardest thing that companies are dealing with in all of those net-new requirements is the access and right to be forgotten,” he says. “There are dozens, hundreds and, for the largest organizations, thousands of different repositories where this personal information resides in structured, unstructured, electronic, and non-electronic form.”
So if someone asks to have their records deleted, it is an extremely daunting proposition. The same challenge exists for portability: “How am I going to get all of this personal information out of these systems into one portable file for one individual?” says Frank.
Most companies taking GDPR head on but …
Most companies are taking a proactive approach to dealing with the new realities of personal data protection. But, because many of the fines to date have been nominal (see sidebar below) compared to what they could have been, there are some companies that are waiting to see what the supervisory authorities in each EU member country are going to do. The prevailing wisdom is fines will be going up as regulatory actions play out.
“The fines are really low,” says Rose. “That’s what a lot of companies are waiting to see; if the ICO (Information Commissioner’s Office) will up the fines. Organizations are just waiting a little bit. But, if the fines are significant, it will drive a second wave of activity around GDPR.” The ICO is the UK’s supervisory authority.
Companies want to understand what industries will be targeted, how large the fines will be, and, most importantly, how the law will play out in practice. “It’s only a 100 page doc … [but] just like any body of law, it has a limited narrow life on paper and much broader and nuanced approach in practice,” says Hinnen.
Given that fines could be historically high (four percent of a large company’s revenues can be €1 billion or more), this can make for a dangerous game of chicken if it is your company in the regulators’ crosshairs. For example, Facebook, which is facing scrutiny for its privacy practices, had 2017 worldwide revenue of $40.7 billion. A maximum four percent fine for a GDPR violation could cost the company $1.63 billion (approximately €1.4 billion). Facebook Ireland already has been fined £500,000 (roughly $632,500) by the U.K. ICO and that was not part of a GDPR fine. Of the 50 million Facebook accounts breached by Cambridge Analytica, fewer than 10 percent were based in the EU, according to published reports. In January 2019, Google was hit with the biggest fine to date: €50 million, by French authorities.
If supervisory authorities to start to issue massive fines, enforcing and collecting on them could be an issue. First of all, a €10 million or larger fine will surely be appealed and supervisory authorities in smaller countries might not have the resources to fight endless court battles in order to collect. Also, such large fines can become political issues that can drag on for years.
At least initially, it is believed supervisory authorities will take a more cautious approach to levying the harshest penalties, says Peter Milla, the data protection officer at Cint, a provider of consumer data sets to market researchers around the world with global corporate headquarters in London.
“What’s going to happen is the regulators are going to come in to see if you have a compliance program but they’re going to be very lenient,” he says. “They’re obviously not going to put small companies out of business because there’s a political component here but they will fine. They’re going to be commercially reasonable. The Germans are probably going to be the harshest, Milla says.
The GDPR also allows for companies to be sued via class-action. Until now, this was not something EU laws and regulations allowed. If U.S. class actions are any guide, this could substantially increase the monetary damages companies face.
“While the fines are being leveled by the ICO there is the provision for civil damages so we might see a few of the law firms …they may start to think there may be some revenue in this around the big data breeches,” says Rose.
More than money
As big as the monetary damages and legal bills to challenge such fines could be, most companies are more concerned with two related issues: doing the right thing and reputational risk. Many companies do want to be compliant because it is the right thing to do. But, because of social media, brand and reputation today are increasingly fragile. Companies seen doing right by their customers (i.e., “doing the right thing”) have always garnered loyalty but perceptions — and boycotts — move much faster in the age of viral videos, mean Tweets, and memes.
“Most genuinely want to comply,” says Hinnen. “They are both participants in a marketplace and are grappling with the implications of the new data economy. They certainly recognize if they don’t do so effectively, there are both reputation at risk and fines in the offing.”
Cint realized early on that the opposite is also true: Compliance would benefit them in the marketplace. Trust is not a commodity; it is earned and it is fragile. So, when your entire business model revolves around people trusting you with intimate details of their lives, from what they do for a living to the health conditions they have, making sure that they understand that you take data privacy seriously is a reasonable and safe assumption.
“First of all, GDPR is all about good practices,” says Milla. “It’s a holistic approach and [an] automated approach to governance and compliance. GDPR forces you to put a structure around data. The most important thing is we know what we can and cannot use and we understand the data lineage. So, it permits you to properly address hygiene,” he continues. “This was [a] cost to Cint but we did it over time, but it’s an investment that’s going to have a very large ROI.”
The new reality that Cint and every multi-national is now grappling with head-on is that data privacy is a global issue and countries around the world are taking the issue very seriously.
With operations in 80 countries, Cint is leveraging GDPR to set the standard for all of its global compliance activities, Milla says. The company is also sees GDPR as a hedge against future regulations that are approved but not yet implemented, such as the aforementioned CCPA.
“To a certain extent were going along for the ride of consumer empowerment,” says Milla. “The world is only going to change. We’re going to get to the point where there will be some restrictions put in place on the big operators like Google and Facebook. I’m hearing for the first time from privacy pros and privacy attorneys we could really see something at the federal level.”
Market valuations at stake
For Cint, there also is a business valuation issue to contend with. Cint is in an industry that is under pressure. For years, providing consumer data sets to researchers was a profitable niche business. But with consumer data flowing freely from many sources such as Facebook and Google, the industry is facing consolidation. So, were a buyer to come looking and Cint did not have its compliance policies and procedures in place, it could substantially impact the company’s valuation.
“Cint got its house in order a long time ago because of its European ownership and the fact that good compliance is very important to the value company in terms of a future transaction,” says Milla.
Because it does business in so many parts of the globe, coming into GDPR compliance was not overly burdensome. Specifically, the company reviewed supplier and client contracts to make sure compliance issues were addressed and made sure data at rest was being encrypted.
For Markel, a multi-billion dollar multi-national provider or specialty insurance and re-insurance based in Glen Allen, Vir., this same dynamic began to play in 2016 just after the GDPR was finalized. Given that a reputation for integrity is vital to its core business, Markel too views GDPR compliance as a business differentiator, says Patricia Titus, Markel’s chief privacy and information security officer.
“Markel is not a Geico or a State Farm,” she says. “We’re the back-end part of insurance … so we touch on far more than a typical insurance company would. [GDPR compliance] really has to do with Markel’s brand which has extremely high-integrity.”
Markel’s efforts got underway early, but even with two years of work, that did not mean everything was 100 percent ready on May 25, 2018 when GDPR officially took effect. “We were not green but we were not red, so we were well on our way,” she says. The GDPR’s many requirements for data access, erasure and portability required Markel to do a deep-dive data audit to uncover where the data was, who was handling it, what their policies and procedures were regarding that handling, and to answer a host of other compliance-related questions.
Having grown significantly through mergers and acquisitions, what it discovered was the core Markel brands were in good shape, having already come into compliance for the EU’s Data Protection Directive, which was adopted in 1995, but the companies it owned and operated outside the core Markel brand needed work. The company “welcomed” GDPR as an opportunity to get its data policies standardized across its many brands and ensure that it was spending money wisely on the right cyber security technologies and not just throwing the proverbial kitchen sink at the problem, Titus notes.
While the right technology is critical to GDPR compliance, training and updating policies and procedures is where Titus and her team focused most of their efforts. The upsides to these efforts are many: a clear understanding where data resides, standardized privacy practices and awareness training across the company, and an enhanced reputation for integrity in the market. Given the potential financial impact of any fines, Markel’s C-suite and board of directors are taking cybersecurity and data protection more seriously than ever, she notes.
“It’s all [those] things,” she says. “I think there are financial implications, there’s branding damage that can happen if we’re non-compliant. I go back to integrity and, if a company doesn’t want to do the right thing versus ‘We’re going to do X because we’re going to pay the fine;’ that’s not a company that has integrity. I fear companies are looking at this like another compliance check box. But, hopefully, the fines and the penalties will be enough to get folks to treat this with the seriousness that other regulations just haven’t had the weight to carry.”