Less than a year ago, the European Union instituted the General Data Protection Regulation (GDPR) to protect customer rights to data privacy.
The regulation created quite a stir in May 2018 when it was enacted, and has recently created even more of a stir because the first fines for non-compliance have been levied. While the EU granted a short amnesty period to allow organizations to comply with the regulation, the fines definitely send a clear signal that the amnesty period is indeed over.
Companies are responsible for implementing GDPR-compliant data policies; complacency about the regulation will surely not win the day. No excuses — comply or be fined; the EU has definitely made good on its promise to staunchly defend citizen rights to privacy.
Thus far, there have been three notable penalties. One of the most visible is, of course, Google, which received a €50 million fine in France, courtesy of French data regulator CNIL (Commission Nationale de L’informatique). Google’s fault according to CNIL is the lack of transparency and unclear consent regarding advertisements.
In particular, Google did not have one clear source of information regarding how data is collected. Instead, the information was interspersed into various documents and websites, creating a nearly impossible task for the end user to be aware of how their personal data is actually being used.
The bottom line is that users must be able to make an informed choice about whether (or not) to consent to Google’s use of their data. The other important factor in the Google fine is that CNIL clearly sent a signal that Google can and will be regulated by every data privacy authority (DPA) within the European Union regarding the GDPR rules. Companies that were just focusing on the data privacy rules in their own country have definitely taken notice.
Google will inevitably appeal CNIL’s decision and organizations around the world are anxiously awaiting said outcome. If CNIL’s decision stands firm, companies will have to make changes in how they conduct similar online platforms. Simply said, the outcome could possibly create a profound change in the relationship between consumer and advertiser.
In Germany, a similar social media platform was fined €20,000 for a breach that compromised personal information like passwords and email addresses from more than 300,000 users. While this fine could have been much worse for the company, many industry experts state that the company was given a much lower penalty for how they handled the breach. The company’s saving grace was a proactive notification of both customers and the German GDPR data protection authorities.
This last example of a GDPR-levied fine definitely brings home the message of the lengths the EU will go to protect their citizens. In this case, an Austrian businessman was fined for placing a camera outside his business. The camera was not clearly identified as a CCTV camera, yet it was recording a public space outside his business.
Since GDPR began, the EU has received nearly 100,000 data privacy complaints from its citizens and over 40,000 data breach notifications from companies. Experts say these numbers are low because they are based on voluntary contributions from only 21 of the 28 EU member countries. The numbers therefore are actually much higher.
So far, the GDPR has reported levying 91 fines, with 60 of those fines levied by the German DPA alone. GDPR definitely changes the compliance risk for organizations across the world. Heftier and more numerous fines are expected to be handed out in 2019 as the EU moves into GDPR with full steam.
The United States was once the trailblazer of the world when it enacted the mandatory data breach notification laws and punishment sanctions for non-compliant businesses. Now, the U.S. Congress is closely following GDPR and may soon enact similar privacy considerations to rein in companies like Google, Facebook and others who offer free products and services at the expense of a user’s personal information. Congress understands that what a consumer discloses today can have far-reaching implications years later, and they are definitely watching the implementation of GDPR as Europe nears its first anniversary of enacting the law.
It takes an average of 287 days for security teams to identify and contain a data breach, according to the “Cost of a Data Breach 2021” report released by IBM and Ponemon Institute.
Forty-three percent of attacks are aimed at SMBs, but only 14% are prepared to defend themselves (Accenture).
The three sectors with the biggest spending on cybersecurity are banking, manufacturing, and the central/federal government, accounting for 30% of overall spending (IDC).
40% of businesses will incorporate the anywhere operations model to accommodate the physical and digital experiences of both customers and employees (Techvera).
The average cost of a data breach in the United States is $8.64 million, which is the highest in the world, while the most expensive sector for data breach costs is the healthcare industry, with an average of $7.13 million (IBM).
More than 33 billion records will be stolen by cybercriminals by 2023, an increase of 175% from 2018.
The cost of cybercrime is predicted to hit $10.5 trillion by 2025, according to the latest version of the Cisco/Cybersecurity Ventures “2022 Cybersecurity Almanac.”.
The internal team was energized. With the Level 1 work off its plate, the team turned its attention to the work that fueled company growth and gave them job satisfaction.
We did a proof of concept that met every requirement that our customer might have. In fact, we saw a substantial improvement.
We did everything that we needed to do, financially speaking. We got our invoices out to customers, we deposited checks, all the things we needed to do to keep our business running, and our customers had no idea about the tragedy. It didn’t impact them at all.
“We believe our success is due to the strength of our team, the breadth of our services, our flexibility in responding to clients, and our focus on strategic support.”