We recently celebrated Thanksgiving here in the United States. As much a tradition as turkey and mashed potatoes are the lively discussions around the dining room table. This year, my family more or less succeeded in avoiding politics; but one of the discussions that took its place was about privacy and security on the Internet.
In case you missed it, both Uber and Google had exactly the type of media coverage that every company is trying to avoid today. While it doesn’t seem that long ago that the online privacy discussions were centered around Sony Pictures, Target, and Home Depot, it is clear that the issues continue and they continue to hit big-name brands.
This past week, Uber acknowledged that it had not only suffered a breach that exposed the personal information of 57 million subscribers, but it 1) did not disclose the breach to the public for nearly a year, and 2) reportedly paid the hackers $100M to keep their mouths shut about it. Meanwhile, over at the home of Android, a new report showed that Google has been accessing data about Android users’ locations, even when the user believes that the data is being kept private. While both cases have plenty of fodder for a good conversation about information security and business ethics, what I found myself thinking about between the last of my drumstick and my first helping of pumpkin pie was, of all things, the General Data Protection Regulation – or GDPR.
Compliance with the GDPR will become mandatory across Europe on May 25, 2018, bringing with it a wide range of new challenges for businesses. The core of the regulation is based on protecting European citizens’ privacy. Organizations that have any dealings with the personally identifiable information (PII) of European citizens must be sure that their systems are designed to guarantee that such PII is acquired with consent for use and is added to systems that are adequately secure in accordance with the requirements of the regulation. Organizations must also formulate necessary policies and procedures to ensure the ongoing security and portability of PII. For example, the regulation requires organizations to notify the local data protection authority of a data breach within 72 hours of discovering it. The regulation also specifically mentions that systems in use should have privacy by design. Enforcement of the GDPR is backed by fines of up €20M or 4% of global revenue.
It was the consideration of the fine that made my mind wander as I added another scoop of vanilla ice cream to my apple pie. If the past week’s events with Uber and Google happened a year from now, what would that look like? Uber revenue in 2016 was $6.5B. Since the company disregarded one of the GDPR’s requirements for notification and allegedly tried to cover it up, it’s not too hard to imagine an EU Supervisory Authority throwing the book at them…which would be a $260M fine at 4% of their global revenue. In the case of Google, I think it would be a record breaker as far as fines go. Alphabet, Google’s parent company, saw revenue of $90.27B in 2016. When I look at the “infraction” that one might reasonably accuse Google of, one could argue that privacy was the furthest thing from a priority when they designed the system to collect data even when users believed the location services were turned off. They definitely were not obtaining consent for said data collection. Had this happened a year from now, they might be served a $3.6B fine at 4% of their global revenue.
The GDPR is rapidly approaching, and companies that do business with citizens of the EU are still preparing. Some steps to follow include appointing a data privacy officer, embrace the privacy-by-design approach, and review/refine your data security strategy. You can read more about these steps and more here.