Assessing your GDPR exposure
Published 15th January, 2018
The General Data Protection Regulation (GDPR) has dominated the headlines for the past 18 months. In short, any company that deals with data will have to comply with the GDPR, whether they are based in the European Union or not. However, as the May 25th implementation date approaches, complying with GDPR continues to be a concern for many companies. We recap on the biggest data breaching scandals to hit the headlines and reminds us why GDPR is needed.
COMPANY ‘INCIDENTS’ INVOLVING CUSTOMER DATA
For over ten years, data breaches have made big headlines. In the United States in 2005 for example, Choice Point, had personal information relating to 145,000 subjects compromised in a breach and ended up paying $15m to settle charges. Several weeks later LexisNexis reported a data breach incident that resulted in unauthorised access to the drivers’ license information and social security numbers of 310,000 individuals. These incidents had followed earlier data breaches from Ford Motor Corporation and the Bank of America. Unsurprisingly, security was subsequently upgraded, but security upgrades do not seem to have stemmed the tide of breaches.
Nearly ten years on, in 2014, the US retailer, Target, lost 110 million records through a well-publicised compromise. Two years later, in 2016, the largest ever data breach at Yahoo saw three billion records compromised. There are numerous other well-known breaches including Anthem, eBay, Home Depot, Sony PlayStation, and the US Office of Personnel Management to name but a few.
Moving on to 2018, two things have changed. The number of data subjects affected have grown exponentially and, worryingly, large companies are still failing to fully comply with basic reporting obligations.
DELAYS IN REPORTING A PERSONAL DATA BREACH
The original draft of the GDPR had more onerous reporting requirements, but after much lobbying these were reduced for the final regulation. Under Article 33 of the GDPR, data controllers are required to report a personal data breach to their competent Supervisory Authority within 72 hours of becoming aware of it, unless it is unlikely to result in a risk to the rights and freedoms of data subjects.
Where it is not reported within this time frame, the data controller must provide an explanation for the delay. Notifications will describe the nature of the breach, the number of data subjects and personal data records affected, the likely consequences of the breach and proposed or implemented mitigation measures.
Being slow to report data breaches has been a common element among recent data breach incidents. Last year, Equifax was compromised affecting 145.5m customers and was criticised for its reporting and detection times. The US Securities and Exchange Commission recently acknowledged a data breach that occurred in 2016, coming in for sharp criticism as it failed to meet its own reporting standards. Uber also failed to report the recent hack affecting 57 million customers within a reasonable time.
ALIGNING PENALTY IMPACT WITH INEVITABLE BREACHES
There is clearly a culture issue within these large companies towards their data protection obligations. The recent conduct of these companies will no doubt affect the approach regulators will be taking from May 2018. If they believe this culture is endemic we will likely see substantial penalties for these failings under the new regime.
Given that the GDPR is a new piece of regulation, understanding the quantum of potential fines is an arduous task. Here at Corlytics, we have figures in terms of what the likely penalties will be but how soon will these be levied. We can also determine whether these penalties will be at the higher end of the scale, helping you to better understand this exposure and impact.
Corlytics has analysed thousands of regulatory notices including enforcement actions, thematic reviews, business plans and guidance notes, to name a few. In order to understand the patterns of events that lead to regulatory penalties. In these documents, regulators provide hints, signals and direct input on the best practice to comply not just with the regulation but the spirit of the regulation.
Corlytics can help organisations bridge the gap between the intent of the regulation and the actual implementation, in order to measure the risk associated with, for example, the GDPR for an organisation, and accurately assess the impact to the bottom line. More importantly, Corlytics can provide actionable insights to reducing that risk exposure in order to prevent fines, even if a breach occurs.
If you have questions on the GDPR exposure, please contact us at Corlytics.