By Greg Sparrow
The General Data Protection Regulation (GDPR) continues to be an important topic of conversation for U.S. companies. Since its inception, the GDPR has raised a number of questions as to whether businesses are properly prepared to comply. The GDPR was adopted on April 27th, 2016 and allotted a two-year post-adoption grace period for businesses to strategize and implement their compliant approach. With less than two months left, it is reported that an estimated 61 percent of U.S. businesses are not ready for the regulation, and that only 67 percent of European-based businesses have begun moving into the implementation phase of their GDPR compliance program.
The potential fines have many concerned about compliance as the May 25th, 2018 date of enforcement approaches, but businesses struggle with fully understanding the regulation and thus fail to launch a comprehensive plan.
Turning our focus to the technology industry, several internet-based social websites and applications (apps) have displayed international influence and presence through international platform expansion and marketing efforts. One recent example includes the popular web-based platform, Facebook and its acquisition of the messaging app, WhatsApp. WhatsApp announced in August of 2016 that it would share user data with Facebook to improve its service, as well as provide statistics and patterns to the social media giant. Facebook significantly increased its marketing efforts in years past with suggestion capabilities to inform users about products or services that may be of interest based on data collection for that individual.
Since the acquisition, WhatsApp expanded its reach internationally to Brazil, Europe, and India—making the app at the forefront of data protection regulations. As of March 15, 2018, WhatsApp announced that it will no longer share user data with Facebook until they can assure U.K. users that they are compliant with the GDPR.
The GDPR places Facebook’s acquired WhatsApp partnership under scope for not only its presence in the U.K., but also due to its monitoring of European Union (EU) data subjects, and attempt to offer them goods and/or services based on that collected data. Facebook’s practices most likely include the use of automated individual decision making against EU data subjects, requiring a lawful basis such as explicit consent under the GDPR. Processing is broadly defined in the regulation to include most actions that can be performed with data and can specifically refer to collection and storage, which Facebook would be doing in this case. The website must therefore have processes in place to honor nine distinct rights awarded to EU data subjects, and be able to operate under the guiding privacy principles, defined within the GDPR. The regulation further dictates appropriate security efforts around the protection of personal data, establishes breach reporting requirements, and increases the risk associated with vendors processing this data. These expansive requirements make the process of marketing more complex for the two technology companies.
Some smaller apps and web-based social sites may not be considering the new regulations as seriously as they should be, but past enforcement actions point to enforcement risk regardless. The GDPR states that non-compliant companies posing a risk to EU citizens and their privacy can be fined up to $20 million or four percent of its global turnover for the previous fiscal year, whichever is greatest. On top of this penalty, EU individuals also have the ability and right to receive compensation from the controller or processor for the damage suffered.
For a company like Facebook, with a net revenue around $18 billion in 2017, they could potentially face a fine of $720 million dollars. It is important to note that this fine would be per violation. It can certainly be assumed that larger repercussions would be imposed in this hypothetical case, since case law suggests similar types of violations do not stand alone, and typically occur with others.
There are several steps that related companies must immediately embark on to mitigate their exposure to risk. A solid start begins with understanding GDPR regulation applicability to various parts of the business and understanding each unit’s risk profile to establishing priorities for the initiative. Once risk and priorities have been identified, it is critical for organizations to identify and establish their lawful basis for processing of this data.
Every industry has its own unique risk and operational challenges, and every business within has its own maturity relative to industry peers. Using the trusted counsel of a compliance firm helps to quickly identify both industry and organizational risk that, as a non-biased third-party, are often otherwise overlooked. A risk management and compliance consulting firm can help organizations quickly identify risk, formulate a plan to mitigate this risk, and set up ongoing monitoring programs to maintain valuable records of compliance.
Some have suggested the GDPR will set the global precedent for data privacy and security regulations. Brazil and China have both showed interest in forming similar requirements to protect the privacy of its citizens’ personal information from businesses storing and transferring data across borders.
To adequately prepare for the GDPR and similar regulations likely to be introduced in the future, businesses must educate themselves on these regulations, and how they will choose to conquer the requirements. Applicable processes and procedures can obviously help minimize exposure to fines, but also provide an opportunity within the market to reassure customers and in return, earn their trust. SW
Greg Sparrow is the SVP/GM of CompliancePoint. He has enjoyed over 17 years of experience in privacy, information security, and risk management. Sparrow has worked on both U.S.-based and international projects. He was responsible for the development and implementation of the security program’s responsibility for protecting billions of dollars in annual transaction volume. His most recent work includes security and certification work for Samsung Pay, enterprise risk management for multiple NFL and MLB sports teams, and helping to secure critical infrastructure at some of the nation’s largest transit hubs.