By Marilia Wyatt, CyberPrivacy
Companies looking to gauge how EU’s General Data Protection Regulation will be interpreted should monitor regulators’ decisions around fines and which privacy violations are considered the highest severity, said panelists on Thursday at the RSA Conference.
GDPR enforcement is still in early stages, experts say. “Enforcement is a toddler, so we need to buckle our seat belts to see what happens,” said Ruby Zefo, chief privacy officer at Uber.
Ms. Zefo predicts the ‘hammer’ will continue to fall on the things companies can control, including having proper data management and hygiene practices. She said while fines are pretty low, especially in Europe, once “those shoes start to fall” it sets a precedent for more.
“Enforcement actions will be indicative of what the regulators care about,” said J. Trevor Hughes, president and CEO at the International Association of Privacy Professionals, a nonprofit group supporting industry participants globally.
For instance, Mr. Hughes says, if companies see regulators talking about the 72-hour notice period for a data breach, and there is an increase in enforcement actions around that- it could signal that a company’s risk profile on notice of security breach has just increased significantly from the regulator’s perspective. To manage the risk, firms should monitor enforcement actions through the remainder of 2019 and in the future as crucial, he said.
Kalinda Raina, senior director, head of global privacy at LinkedIn, noted enforcement actions become quasi-regulation in a sense. Companies, she says, can best understand how the privacy law is going to be enforced and interpreted by looking at regulators’ decisions and how they are appointing fines around them.
Under GDPR, companies need clear consent from users to process their personal data, The Wall Street Journal reported. Customers have the right to see what data companies store on them and request some of it to be deleted. Data breaches must be reported to authorities within 72 hours. Companies that violate the privacy law risk fines as high as 4% of their global revenue. A French regulator has recently fined Alphabet Inc.’s Google $57 million for violating GDPR- one of the highest profile regulatory actions – alleging the search-engine didn’t get a valid user consent to gather data for targeted advertising.
The panelists further highlighted a fundamental point: data privacy management is not just an issue for the legal department. It requires close cross-functional team collaboration company-wide. It’s everyone’s responsibility including cybersecurity, privacy, engineering, product strategy and design, technology, business units, among others to seat at the table.
The goal of having this multi-disciplinary approach is to manage potential privacy and cyberrisks holistically – where executive and working-level teams effectively work together to innovate responsibly by building products with security and privacy by design and to ultimately build brand trust and competitive advantage.