The Rising Price of Non-compliance
Blog summary [4-minute read]
- Privacy has ascended to a key international safety issue
- Inefficiency in incident response creates financial and reputational harm
- Three Ways to Reduce Organizational Risk
Read more below.
With new privacy regulations passing frequently, penalties have been rising in tow. After two years, GDPR is firing on full cylinders and data protection authorities have exercised hundreds of punitive fines over failures to comply with the regulation and protection of user data.
In a recent LinkedIn post from his newsletter, Privacy by the Numbers, Jay Cline, Principal at PwC, explored the increasing number of privacy enforcement actions worldwide and the resulting fines and settlements they’ve amassed. To help corporate executives stay ahead of data risk, Cline speaks to changing regulations around the world to find that after writing the data privacy rulebook, the United States has fallen behind our international peers when it comes to managing data securely, and we’re paying a bulk of the fines for it.
With the passing of new international data breach laws, multinational organizations now find themselves facing three distinct privacy enforcement models, which he defines as multi-stakeholder enforcement, punitive fines and penalties, and non-monetary actions. As regulations continue to amount, enforcement of privacy regulation will grow to scale.
Privacy Reaches the Summit
Ranking privacy incidents by cost shows us commonly violated privacy principles include violations of choice, consent, collection and notice, and other user permissions issues. Additionally, per Cline’s reporting, since 1990, the top 20 government-imposed fines worldwide have largely been issued due to safety issues.
Dissecting privacy fines among multinational organizations, Cline posits that privacy has risen to the top of global interest and with increased visibility, the industry likely finds itself under the proverbial magnifying glass. Per Cline,
“The US FTC’s $5 billion fine on a US social-media company in July 2019 ranked among the top 20 fines by governments on corporations in history – putting privacy on par with environmental responsibility, personal health and safety, and financial fairness as leading global public interests. US class-action settlements, long a staple of the US enforcement arena, also routinely top $1 million in damages.”
This increased enforcement is in part due to GDPR operating in full effect and compound across regulations from China, Canada, and Latin America which are driving punitive fines and penalties worldwide. These simultaneous forces result in an increasing amount of fines and with more regulations being passed by the year, the risk of non-compliance is higher than ever.
But not all penalties are financial.
The Cost of Inefficiency
The effect of privacy incident management ripples across departments and impacts organizations as a whole. Beyond regulatory fines or even resulting class action settlements, reputational damage from privacy incidents often follows a brand for years in its wake.
Historically, the Federal Trade Commission (FTC) has imposed over a dozen consent decrees forcing organizations to conduct privacy and security audits for 20 years. Governing bodies in the EU and China have shown similar resolve when penalizing privacy incidents. Per Cline,
“In the wake of last year’s Schrems II decision invalidating the EU-US Privacy Shield, EU DPAs have moved to limit Europe’s use of non-EU cloud providers and prohibit other data processing deemed non-compliant. At the same time, China has shut down over 100 mobile apps, stopped various other data processing, and jailed many individuals its ministries determined were in violation of China’s new cybersecurity and privacy regulations.”
What traditional approaches to incident response, such as information security, ticketing, and in-house systems such as GRCs don’t address is the time-critical requirements to evaluate an incident in the context of applicable laws, determine whether it is a breach, and what notification obligations might be required.
So how does an organization avoid penalties and reputational harm from privacy incidents? Cline offers three key takeaways from the state of the rising price of noncompliance.
- Utilization of technology to ensure proactive enforcement of data regulations within organizations, including building security measures into new products, technologies, and data analytics
- Investing in security and consent measures to avoid the risk
- Promote from within: Cline finds two traits among successful organizations, a privacy leader who was able to win over their board, and/or board members who personally own privacy controls.
Simply put, by making privacy a priority, investing in tools and processes that mitigate risk and expedite incident resolution, organizations stand to reduce the risk of non-compliance and avoid costly financial and reputational harm.
The key is reducing inefficiency in privacy incident response and expediting the process from discovery to notification decision-making. Of course, the cost of inefficiency is only one of the common barriers to timely incident response. To learn the other challenges to efficiency, download our whitepaper.
Topics: Incident Response Management