One of the biggest differences noticed by Kevin Kiley, vice president of Privacy management software company OneTrust, when comparing and contrasting the pre- and post-GDPR era is the way in which organisations have behaved in reaction to the data of their customers being breached.
In 2017, US credit report and scoring company Equifax revealed that hackers had accessed data of their customers between mid-May and the end of July. The hack is estimated to have affected almost 700,000 customers in the UK, thought the company had previously said that the number was around 400,000. The hackers also stole the details of 146 million Americans and 8,000 Canadians.
"Equifax executives were selling shares before the word got out."
The way in which Equifax handled this breach would not have been in line with GDPR stipulations by a long stretch, Kiley said. “Equifax was very slow to drip that information out. In fact, we later found out that many of the executives were selling shares in the company before the word got out.” It took six weeks to report the incident on 7th September and senior executives sold $1.8 million in shares before the breach was made public.
In contrast, British Airways suffered a data breach between 21st August and 5th September 2018 in which details were stolen on 380,000 transactions. Within two days, the chairman and CEO Alex Cruz went public about the hack and apologised to customers, something for which BA should be commended, according to Kiley.
“You have to give them credit for being very transparent. Within just a few days, BA came forward with the story, making it known both to regulators and also to their customers that there had been a data breach.”
Concern has shifted from sanctions to law suits.
The VP has noticed a shift in concern from sanctions to law suits. Every piece of coverage relating to GDPR in the run up to 25th May mentioned the fines of up to 4% of annual global turnover fines or €20 million.
Kiley said: “The real concern can be around class action law suits and the individuals banding together because the law gives them so much more capability to do that.”
A third trend that Kiley has seen in the last five months is somewhat of a snowball effect - the increasing emphasis placed on privacy in territories that might not have placed such importance on the issue in the past. “We're seeing there is consistent attention being put forward around new laws and GDPR.”
Data privacy laws still under negotiation in different places around the world include the European Union ePrivacy Regulation, India’s Personal Data Protection Bill, Chile’s Privacy Bill Initiative, New Zealand’s Privacy Bill and Brazil’s General Data Protection Law.
"The drumbeat is that organisations have to take privacy seriously."
In addition to these, in the United States there are some privacy acts that have state-wide jurisdiction including the Colorado Data Privacy Act which passed in September, Vermont’s H.764, also known as the data broker privacy law effective January 2019, and the California Consumer Privacy Act due to pass in January 2020. “There just seems to be more and more of a drum beat coming that organisations are going to have to take privacy seriously,” he said.
Kiley synthesised what he’s learnt since GDPR became enforceable and what he thinks businesses should do into three key points. Those are: privacy is here to stay thanks to regulation; privacy should be considered as an element of all your operation; and stay aware of new developments.
Kevin Kiley was speaking at Gartner Symposium ITXPO.