GDPR Shows Its Teeth, Goes After Breached Companies

GDPR Shows Its Teeth, Goes After Breached Companies

In 2018, the European Union (EU) General Data Protection Regulation (GDPR) heralded in the most important change in data privacy regulation in 20 years.

Far reaching in its applicability, GDPR extends well beyond Europe and affects any business that collects and stores the private data of EU citizens. In a sprint towards compliance, U.S. businesses have reacted by adding service level tactical measures, including the ability to accept cookies and the posting of easy-to-read privacy notices.

However, cookies are mentioned only once in the entire 80-page GDPR ruling and privacy policies, and are just one of the recommended steps to demonstrate compliance. Which begs the question, what else is in the regulation? The answer is starting to emerge, and it has major implications for global businesses.

Penalties for cyber breaches shake the business world

EU regulators have long warned that non-compliance with GDPR would result in hefty penalties. Beginning as early as 2018, tech giants Facebook and Google faced scrutiny for a lack of transparency about the data they collect. They were eventually fined €56 million.

But tech companies aren’t the only ones in the spotlight. CIO Dive reports that in July 2019, the UK’s Information Commissioner’s Office announced plans to fine British Airways and Marriott International $230 million and $124 million, respectively, for data breaches reported in 2018.

This action is a huge red flag for all companies. It signifies that GDPR is far more broad reaching than most firms had anticipated.

“The aim of the GDPR is to protect all EU citizens from privacy and data breaches in today’s data-driven world,” states the regulation. “Under the GDPR, breach notifications are now mandatory in all member states where a data breach is likely to ‘result in a risk for the rights and freedoms of individuals.’ This must be done within 72 hours of first having become aware of the breach.”

The penalties are severe. Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million, whichever is greater. In the case of British Airways and Marriott, the fines were stiffer than those incurred by tech companies.

Ironically, the breach doesn’t have to come from within to incur the wrath of GDPR enforcers. Marriott was never directly breached. The attack came from an already compromised server inherited during Marriott’s 2016 acquisition of the Starwood Hotels group.

Marriott is not alone. Today, 59% of breaches originate with third-party vendors and 53% of acquiring businesses say they’ve encountered a cybersecurity issue or incident that put an M&A deal in jeopardy.

GDPR and security ratings

While major brands like British Airways and Marriott may be able to absorb the cost of GDPR violations, for others the fines can be devastating. The recent wave of high stakes GDPR violations and fines set a new precedent and have wide-ranging implications for the C-suite and boardrooms everywhere.

As organizations continue to struggle with the challenges of managing cyber risk within their four walls, across supply chains, and during the M&A process; business, security, and risk leaders must up the ante. Avoiding a breach is an impossible task, but organizations can assess and reduce cyber risk using tools like security ratings.

The cyber equivalent of a credit score, security ratings are a highly effective means of identifying risky vendors and acquisition targets, supply chain vulnerabilities, and monitoring the overall performance of your own cybersecurity program.

With a common understanding of risk, you can then work with first- and third parties to collaboratively manage and remediate risk before a breach happens and any violation of data privacy laws occurs.

U.S lawmakers eye similar legislation

GDPR was just the beginning. Here in the United States, policymakers in California and Ohio are already following Europe’s model by passing sweeping legislation that reinforces and expands consumer data privacy rights, with other states expected to follow suit.

Now’s the time to proactively go beyond just placing “Accept Cookies” buttons and privacy policies on your website. As GDPR and states’ initiatives have shown, protecting consumer data is a top priority for governments all around the world, and they are increasingly willing to enforce their regulations. Companies everywhere must do everything possible to ensure that their information is protected — or risk getting bit.

Download Ebook: A Risk Manager’s Guide to GDPR

A Risk Manager's Guide to GDPR