Kristina Bergman, founder and CEO of Integris Software (above), tells us why companies should take their customer data seriously, and what the implications can be for those that don’t.
Can you explain data privacy and why this issue has become a concern?
The easiest way to explain the importance of data privacy is to take a historical view. In Europe’s recent past, race, religion, and sexual orientation were used to target people in horrific ways. As a result, Europe became very protective of people’s personal information. More recently in the United States, scandals such as Facebook’s Cambridge Analytica scandal and ongoing healthcare breaches, have shown that data is not only an asset but also a liability for companies storing and transmitting personal information.
Why is it essential for companies to meet data privacy laws?
The misuse of private data undermines our basic concepts of freedom and democracy. Public sentiment towards data privacy has changed, as people have started to experience how these violations can impact everyday lives. The awareness around these ongoing data breaches has pushed lawmakers and ordinary people to respond in powerful ways. Consumers are now voting with their spend to choose businesses that assure the safety of their data.
What are some examples of data privacy laws? What can happen if organizations don’t comply?
Two of the top data privacy laws right now are The General Data Protection Regulation (GDPR) in Europe and The California Consumer Privacy (CCPA) in California. The GDPR is the core of Europe’s new initiative to reflect the digital world and privacy laws. GDPR applies to any organization that operates directly within or outside of the European Union and enforces strict legal conditions and penalties for the use of consumers’ data. Almost every major corporation in the world must comply with GDPR to operate in the European Union.
The California Consumer Privacy Act (CCPA) protects California residents and grants rights regardless of consumers consent to the collection of their data. It also includes a right to know who shares and collects their data and imposes hefty financial fines on those who misuse it. The law takes effect on January 1, 2020, and will be enforced by the California Attorney General, who is likely to be aggressive in enforcing it.
These two laws are just the tip of the iceberg and catalyze emerging privacy legislation across other states and around the world. Not adhering to these laws will result in a loss of trust with customers. However, brand and reputation damage will be much more harmful than any lawsuit or government fine. Companies don’t want to have customers that no longer trust their products or services. Penalties can be negotiated or paid, but reputational damage is challenging to reverse.
What are some of the top misconceptions that businesses have around data privacy?
Organizations sometimes have no idea what kind of data they hold in their repositories. They know what they’ve agreed to collect, but don’t fully understand what additional information has entered their organization. Data sharing agreements are a prime example. For example, one of our clients recently acquired a company that had data-sharing contracts with credit card processors. Unexpectedly, part of this data transferred to their company, revealing private customer information such as behavioral preferences and sexual orientation.
Credit card processors are a significant area of concern for many companies. They collect vast amounts of private data, that if leaked, could damage your reputation, upend your family, or impact your ability to get a job. Many companies don’t know what kind of data they have because executives and the engineers that manage the data have different vantage points. An agreement to share only a small amount of information doesn’t always equate to how much data is shared. This is true for data entering and leaving the organization. As long as companies continue to view data as an asset, rather than a liability, they will continue to over-collect and over-share information that can become a risk in the event of a breach, audit or a lawsuit.
How can organizations ensure they comply with the law and data-sharing agreements?
The gap between data engineers and executive decision-makers is a big issue. I believe data privacy should be a board-level topic. Attorneys and business unit leaders can go to great lengths to create appropriate and defensible data sharing agreements, but it’s all pointless if you can’t tie those agreements back to the actual data being shared. This is a massive blind spot for most companies.
Why is it essential for organizations to implement an effective privacy posture?
What are some examples of major data breaches from companies neglecting to ensure proper privacy policies?
- Facebook is still facing backlash from the violation of its users’ privacy related to the Cambridge Analytica scandal. There is an overwhelming number of people who do not trust Facebook any more, which resulted in a wave of regulators coming after it. Facebook recently agreed to pay $5 billion to the FTC for mishandling people personal information.
- Hotel group, Marriott, faces a $123 million fine under GDPR. Over 339 million guests, including 30 million EU residents, were affected by a breach. Marriott is still determining which data was stolen precisely, and which guests were affected. Hacking into a hotel database can generate a lot of damage based on their clientele, even potentially affecting diplomats and government officials if a foreign agency compromises the data.
- British Airways has been fined under GDPR for $230 million related to a data breach last year, where hackers accessed more than 500 million customer records.