GDPR starts to bite big business hard
Google has again been making GDPR-related news - the Information Commissioner's Office is investigating complaints that Google is breaking privacy laws, raising the prospect of further multi-billion-pound fines. This follows hard on the heels of the record €50 million fine by French data protection watchdog CNIL for Google a couple of weeks ago and illustrates that even the largest corporations can’t afford to lose focus on improving GDPR compliance.
The CNIL fine revolved around consent - “even when user consent was collected, it did not meet the standards under GDPR that such consent be specific and unambiguous”. Storing, maintaining and obeying consent that meets GDPR requirements relies on an accurate single customer view. Other customer data attributes are equally important and there have recently been worrying signs of poor quality customer data exposing other big businesses to potentially huge fines.
Early last month, Marriott issued an update on the massive 500 million record breach of its Starwood customer database: on 30th November 2018, Marriott believed it involved up to 500 million guests. Five weeks later, it said that it was no more than 383 million records: “We concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database.”
"Effective communications with customers is impossible if you don't know how many have been affected."
The huge fine that Marriott faces under GDPR due to the breach (up to 2% of worldwide revenue) could be doubled if they can’t take prompt, effective action to notify affected customers - potentially a billion dollar fine in addition to the probable loss of business and 16% decline in its share price (from just before the breach was announced to just after this update).
Effective communication with customers is impossible if you don’t know how many customers have been affected. Anecdotal evidence confirms that some Starwood customers have received emails about the breach from Marriott whereas others have not, even though their email addresses haven’t changed.
Next was Santander making the mainstream media headlines, with a £33 million fine in December - essentially caused by lack of an accurate, up-to-date SCV - through inadequate identification of all accounts for deceased customers and writing to old addresses. It can safely be assumed that the real cost to Santander of all this bad press will be far higher. Although this fine was levied by the FCA, it shows the potential for even bigger fines under GDPR for large companies with inadequate customer data quality.
Let’s remind ourselves of the main requirements of GDPR compliance in respect of customer data:
* Keeping customer data accurate, up-to-date and secure;
• Proving consent for all use of customer data;
• Responding to subject access requests quickly;
• Processing the “Right to be forgotten”;
• Maintaining a complete audit trail of access and updates to customer data;
• Notifying affected customers promptly in case of a breach.
Marriott and Santander appear to be in breach of the first duty and (for those guests who don’t follow the news), Marriott could also be in breach of the last. Google will be able to update its systems and agreements and, having done that, storing granular consent in an accurate SCV will be easier with its Google user IDs than for many other organisations.
Companies that collect customer data from a variety of different touchpoints, such as point-of-sale, web sites, front desks, phone, email and coupons, will find life much harder. Their systems and staff will now be put under intense scrutiny by large numbers of customers making subject access requests and/or asking for their information to be erased and questioning consent.
With the volumes of data involved, it will require highly accurate, automated matching to be done effectively and efficiently, for example, if a supplier removes one or two instances of a customer, but other occurrences remain undetected, they will potentially not be fulfilling the right to be forgotten request. The situation could then be aggravated by communication with the undetected customer duplicates, leading to further scrutiny and potentially more fines.
In 2017 alone, over 40 organisations, including Equifax, Verizon, eBay and Uber, were in the news having suffered costly and/or embarrassing data breaches. That seemed bad enough but, according to personal information security specialist IdentityForce, there were three times as many data breaches in 2018, including Facebook, British Airways and the US Postal Service. Under GDPR, that must represent hundreds of billions of customer communications needed and countless billions in potential fines.
Many board members of large enterprises must nervously be asking their CEOs, CDOs and CTOs how confident they are about how many customers they really have? Digging a bit deeper, they will want to know what checks they are conducting to verify that confidence is not misplaced.
"Don't bet the farm on thinking that, 'it wouldn't happen to us...'"
Mindful of the age-old truth that “security is only as good as the weakest link”, the board will also be concerned if in-house systems are not good enough at the “fuzzy matching” of customer data needed and IT is exporting data from its secure database to external systems to perform the matching.
The bottom line is that any organisation that is not doing its utmost to keep access to high volumes of customer data secure, or not making sure that they can react effectively in the event of a breach, is betting the farm on thinking that, “it wouldn’t happen to us…”
Every business can and should be investing in pre-emptive solutions to stop the worst from happening. While no single off-the-shelf GDPR data compliance solution exists whatever the size of the organisation, there are tools and services to cater for every data pain point. Tools and services which should be part of every business’s prevention strategy, such as database encryption and security, data quality screening and suppression to ensure accuracy and validity, and address verification and matching to maintain a truthful, up-to-date, legitimate single customer view.