The Importance of Data Privacy Compliance Under the GDPR

purple jelly fish in a deep blue sea

GDPR still hovers over us. We’ve outlined the best ways to ensure your website is GDPR compliant but data privacy compliance under GDPR is still a scary topic. Especially if you have a US and UK portion of your business. How do you ensure you are data compliant under GDPR?
Privacy is something we take very seriously, and you should too, not only for the fines associated with GDPR but for the transparency and trust it builds with your customers.
To help you navigate GDPR, we’ve partnered with UpCounsel for their legal minds. Our friends at UpCounsel are a great legal option – they specialize in legal services for fast-growing companies and do one-off consultancy and long-term partnerships.
This blog was originally published on UpCounsel.
It has become very costly to avoid data privacy compliance. While fines and penalties have existed for years in various amounts from multiple regulators, the European Union’s new General Data Protection Regulation (GDPR), effective May 25, 2018, raises the stakes. It specifies fines up to 20 million Euros or 4% of a company’s prior-year global revenue, whichever is higher, dependent on the “nature, gravity, and duration” of the violation and the “categories of personal data affected.”
Privacy is inherently important to all of us. Privacy is power – the power over self. Ever since the advent of the internet, most of our lives are purposefully conducted online, and that makes the concept of privacy even more important. The “special categories” created by GDPR’s Article 9 recognize the sensitivity of certain areas of our lives, which may have a greater impact if made public. These categories include race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, and data related to a person’s sex life or sexual orientation.

Global Privacy Trends

This concept is taking a different shape quite differently around the globe. The E.U. is moving towards recognizing digital privacy as a fundamental human right, and other countries are following suit with local laws to provide similar protections. At this point, the U.S. is the lone holdout for general privacy rights, but even here, we’ve provided enhanced protections for personal health information (PHI) privacy through HIPAA since 1999.

U.S. Laws

For the first time, all 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands now have breach notification laws. While these are often ignored, these laws typically require private entities to notify affected users and the attorney general of any security breach or unauthorized disclosure involving personally identifiable information (PII).
These laws are focused on data attributes like social security and driver’s license numbers, birth date and place, age, marital status, race, salary, phone number, and other demographic or financial information. Based on recent headlines and most individuals’ experiences handling the aftermath of persistent credit card and large-scale PII data breaches (e.g. Equifax), it is easy to understand the importance of keeping this private information out of the public eye.

The Cost of a Breach

Recent privacy breaches have led to executives being dragged before Congress, fines in the millions, and remediation and litigation costs in the hundreds of millions.

According to a 2017 study sponsored by IBM, the average costs of a data breach across businesses of all sizes globally is $3.62m or $141 per record. Recently the New Jersey Attorney General fined a medical practice $418,000 or about $260 per patient record when their third-party service provider actually caused a data breach. The Ponemon Institute, the firm that actually performed the IBM study, estimates that even one employee’s lost or stolen laptop may cost as much $50,000 after all the required legal notifications are made.

Required Action

Every federal and state body with privacy enforcement authority imposes higher fines for willful and uncorrected violations. Some basic steps to prevent, identify, and mitigate a privacy compliance failure include:

What to Do Next

While remediation and notification are costly, ignoring privacy compliance can be much more expensive. Prevention is more affordable than remediation, and preparation is better than litigation. The growing privacy compliance obligations can be burdensome to understand and difficult to implement. It is prudent to seek outside counsel when in doubt. Furthermore, establishing or administering information security and data privacy assessments through legal counsel may provide the defense of legal privilege if litigation is ever required.

Categorised in:

Penny for our thoughts

Personalising your content: Try Podcasting!

Read more

How To Start A Business with No Money

Read more

Communicating To A Millennial Target Audience

Read more

Targeting and Understanding the Millennials

Read more

Did We Forget An Entire Audience? The Zillennials

Read more

What We Need From Clients Before Commencing a Website Design

Read more

Everything You Need To Know About TikTok

Read more

How to Use Email Automation [Guest Post] – Elisa Abbott

Read more