If businesses hadn’t already woken up to the financial clout that’s now in the hands of the world’s data protection regulators, the recent compliance fines in the US and UK have made everyone sit up and take notice.
Facebook’s $5bn fine for mishandling the personal data of its users is the biggest in corporate history, and during one dramatic week in the UK, the regulator handed out two GDPR fines of nearly $350 million in total. British Airways was given a fine of £183 million (c.$225 million) – about 1.5% of their 2017 income. A few days later, Marriot was hit with a £99 million penalty (c. $122 million) – about 3% of their 2018 revenue.
While those numbers grab the headlines, that’s not the end of the story for businesses who find themselves under scrutiny from the regulators. Indeed, the impact of emboldened regulators whose rules and enforcement powers are finally catching up with the digital society are potentially long-term in nature.
Hitting Where it Hurts
The bottom line for every business out there is that the days of tiny fines for negligent data protection efforts are gone. The momentum has shifted, and the regulatory systems left behind by the speed of change in society are catching up.
And we’re nowhere near the end of that process, with more regulation arriving in the US in the shape of the California Consumer Privacy Act (CCPA), which becomes effective on Jan 1st next year. Breaching these rules will allow citizens of California to sue for up to $750 for each violation, and the state attorney general can sue for intentional privacy violations of up to $7,500.
Somewhat less tangible, but arguably just as important to businesses in the firing line, is the effect of a compliance ruling on reputation. Although difficult to precisely measure, there’s no doubt that businesses are extremely sensitive to the damage this kind of negative publicity can do to their brand.
After a compliance ruling is made public, the reputational damage is immediate, and while media interest naturally moves on quite quickly, those companies remain under extra levels of scrutiny in the future. For many consumers, the damage done to trust is permanent and you only have to scan social media to see customers vowing never to spend money with those companies again.
Putting Things Right
In every case, companies that fail to protect the data of their users and customers have to take steps to prevent a recurrence. In every public statement after a data breach, you will probably see the words “make sure this never happens again” somewhere in the text. It has become a cliché, but contrition and remediation are minimum requirements in response to a very public ruling from a regulator.
And that can get expensive. Whether it’s lost revenue, putting time and effort into repairing corporate reputation or investing in people, processes and technologies that keep businesses ahead of risk, it’s money that is always better spent in advance of need. The old-fashioned saying “prevention is better than cure” could have been invented for contemporary data protection, and as more rulings and fines are handed out in the years ahead, it’s likely that every business involved would, in hindsight, agree.