Just when you thought it was safe – being a year on from full The General Data Protection Regulation (GDPR) effectiveness - we had few significant instances of regulator enforcement. But the week of 15th July 2019 may go down in commercial history as the justification for over 3 years of investment and work by all those involved in data privacy - as to people, process, policy and technical enablement.
Up until this week, the enforcement pattern had been sporadic and limited – given the size of the corporations involved. In 2018, Facebook in the UK had been fined some £400,000 for the Cambridge Analytica breaches – being the maximum that Elizabeth Denham, UK’s Information Commissioner (“ICO”), could charge for an incident occurring before 25th May 2018 (GDPR D-day). And there had been the € 50million (circa $56 million) fine on Google in France for data breach earlier in 2019. But there had been signs in the UK of regulator ingenuity during last winter – using the powers under the Computer Misuse Act actually to jail senior management.
But the 3 announcements in week 15th July change the game. On the 15th, the ICO announced its intention to fine British Airways £183,390,000 (circa $230 million) for violations of GDPR related to a cybersecurity incident in which malware on the airline’s website diverted user traffic to a fraudulent site where attackers were able to harvest customer details. The following day, the ICO announced its intention to fine Marriott International £99,200,396 (circa $124 million) in connection with a breach of its Starwood guest reservation database that affected some 339 million guests.
And while not under GDPR standards, the Federal Trade Commission in the US announced last week its intention to fine Facebook $5 billion for data privacy violations in the wake again of the Cambridge Analytica scandal.
So what immediate conclusions can we draw from these instances:
- Full enforcement. It should be noted that these 3 recent instances are “intentions to fine” – so we can expect there to be appeals – though the reputational damage may have already been done.
- Global impact. Internationally, as they say in boxing, “the gloves are off!” Not only in Europe and the US, but increasing instances for example in Australia and Turkey show that the regulator community is taking at least parallel if not unified action. For Micro Focus, it is interesting that in the week before these announcement, we received requests for our GDPR analysis facility – the Journey to Value – both in Germany and South Africa.
- Shock treatment. For a collection of surprisingly large European corporations, as well as Public Sector agencies, major banks, insurers and Local Government County Councils, GDPR was treated as a sideline Records Management project. Now they are accelerating their requirements for achieving GDPR effectiveness.
- Security Fine instance. In all 3 instances, there is a factor of security breach and misuse of data. Hence the Micro Focus suite of Security capabilities can provide demonstration of “ appropriate technical measures” as in Article 34.3 of GDPR – that one has taken prudent action:
- Data Life Cycle Management. But in addition to these defenses, one should bear in mind that “you cannot secure it till you’ve found it.” Hence the Secure Content Management suite of Micro Focus can enable visibility, classification and policy enforcement across mass data, of all types.
And a personal point, I am both a British Airways and Marriott Hotel client – so just a little satisfied that my personal data rights are being respected in the future!
Expect more on enforcement in the coming months - and maybe just time to revisit with Data Protection Officers the value of their role! Three key messages for them for an effective Data Privacy programme:
- Gain Effective Compliance and, in the UK, keep your management out of jail!
- Achieve Operational Efficiency by the data cleansing needed to answer Subject Access Requests and GDPR rights enforcement
- Increase Revenue from the increased reputational standards of GDPR effectiveness