By Marilia Wyatt, CyberPrivacy
Companies looking to gauge how regulators will interpret the European Union’s General Data Protection Regulation should monitor decisions around fines and which violations are considered having the highest severity, said panelists on Thursday at the RSA Conference.
GDPR enforcement is still in early stages, privacy chiefs say. “Enforcement is a toddler, so we need to buckle our seat belts to see what happens,” said Ruby Zefo, chief privacy officer at Uber Technologies Inc.
Ms. Zefo predicts the ‘hammer’ will continue to fall on the things companies can control, including having proper data management and hygiene practices. Fines are pretty low, she said, especially in Europe, but once “those shoes start to fall,” it sets a precedent for more.
“Enforcement actions will be indicative of what the regulators care about,” said J. Trevor Hughes, president and CEO at the International Association of Privacy Professionals, a nonprofit group supporting industry participants globally.
For instance, if companies see regulators talking about the 72-hour notice period for a data breach. That could signal an increase in enforcements actions around that, Mr. Hughes said, adding firms should monitor enforcement actions through the remainder of 2019 and in the future as crucial, he said.
Kalinda Raina, senior director, head of global privacy at Linkedin, said enforcement actions become quasi-regulation in a sense. Companies can best understand how the privacy law is going to be enforced and interpreted by looking at regulators’ decisions and how they are appointing fines around them, Ms. Raina said.
Under GDPR, companies need clear consent from users to process their personal data, The Wall Street Journal reported.
- Customers have the right to see what data companies store on them and request some of it to be deleted.
- Data breaches must be reported to authorities within 72 hours. Companies that violate the privacy law risk fines as high as 4% of their global revenue.
The panelists further highlighted a fundamental point: data privacy management is not just an issue for the legal department. It requires close cross-functional team collaboration company-wide. It’s everyone’s responsibility, including cybersecurity, privacy, engineering, product strategy and design, technology, business units, among others, to sit at the table.
The goal of having this multi-disciplinary approach is to manage potential privacy and cyber risks holistically. For example, the executive and working-level teams effectively work together to innovate responsibly by building security and privacy by design and fostering brand trust.