This article was originally published on Khaleej Times
Prelude
Decision makers in the European Union (European Union, the Council & the Commission) reached an agreement in December of 2015 on something that they had been working on since 2012. This decision, as it turns out would have a major impact globally. This decision was to agree on a revised framework for data privacy, data ownership & data handling, which was meant to apply to EU & its citizens. The EU defined May of 2018 as the month when this new framework would become effective, something which had not been changed since 1995 [European Data Protection Directive (Directive 95/46/EC)].
The basic tenets of EU GDPR, or GDPR in short, are not really different from what is common knowledge, but what differs now is that it has been codified into a regulation, something which had not been done earlier. In this article, we will go through these basics & get to understand how GDPR is in fact very good for business in the long term.
Why data security is important?
This is a rhetorical question to begin with! Our constantly-connected world has increasingly become digital to an extent that now it is possible to live comfortably without having to ever step out of our homes. We can work remotely, order food from home, communicate with our loved ones digitally & shop online. There is barely any activity which cannot be performed online. This has increased the amount of digital footprint that our lives leave behind & the amount of data that is recorded, transmitted & generated about ourselves.
With this increase in digital information about everyone, it is meaningless, may be even unwise to ask why data security is important. In the pre-digital era, we would protect our offline assets, our house, our car, our paper documents, and our electronics; and in the post-digital era, when each of physical assets have been virtualized, it is expected that we need to protect our digital assets.
We do not ask why insurance is important for peace of mind of our family or why seat-belts are important for our safety or even why ensuring safety & security of our family is important! In same tone, we should stop asking why data security is important.
Pre-GDPR era
The European Union, when it took up evaluation of the European Data Protection Directive (Directive 95/46/EC) realized several logical flaws in data protection guidelines, principles & regulations.
Data collectors were effectively free to do whatever they wanted to do with it no matter who it belonged to, how it was stored, how it was handled, what was intended to be done with it. This freedom arose out of a lack of clear guidelines & boundaries, mainly since the then existing framework had not defined them well enough. This led to a culture of interpretation in manners that served their own business goals.
Another fallout of a weakly defined framework was that data collectors & data processors were unsure on exactly how data security should be implemented. While companies genuinely intended to protect their customer’s information, they were unsure about how exactly they should go about doing this. In absence of national regulations to guide them, internal policies ended up being undefined or under-defined.
And finally, a major consequence of the previous framework was that data privacy protection as a business activity became largely self-regulated. This created a conflict between business objectives & security objectives in organizations. Business objectives would frequently dominate over security objectives due a constant pressure on profitability. Many organizations which displayed clear intentions of upholding high standards of data privacy & security chose to adhere to frameworks such as ISO 27001, but without a regulatory mandate, it became a case of choice & not compulsion. The EU identified this gross failure & decided that self-regulation was clearly not the way forward.
There are several examples of global successes involving regulations making it clear as to what organizations are permitted to do & what they must avoid. Financial & Banking industry is one such case where it could not exist without such regulations.
In the domain of data security, which is a relatively newer field, Singapore’s PDPA & HIPAA from the United States of America are excellent examples. Governments of several countries have silently been working on setting up regulations which are strong enough to set up clearly defined boundaries & principles.
Impact of a Data Breach
While news of a data breach are surprising, data breaches have had significant negative impact on several organizations. The most major impact that an organization faces when a data breach happens is a permanent loss of goodwill. They become examples of data security breaches. They get quoted, over and over again, in conferences, in discussions, during audits, in training programs. This impact takes a very long time to disappear. Some examples of major data breaches and their impact are listed below. These should make it clear that data breaches are usually very costly whenever they happen.
- Multiple data breaches in 2013 & 2014 knocked an estimated $350 million off Yahoo’s sale price in 2016 when it announced that the breach was larger than it had estimated earlier.
- Following a breach in 2008, Heartland Payment Systems was deemed out of compliance with the Payment Card Industry Data Security Standard (PCI DSS) and was not allowed to process the payments of major credit card providers until May 2009. The company also paid out an estimated $145 million in compensation for fraudulent payments.
- After a breach in 2013, Target’s CIO resigned in March 2014, and its CEO resigned in May. The company later estimated the cost of the breach at $162 million.
- The data breach is believed to have cost Uber dearly in both reputation and money. At the time that the breach was announced, the company was in negotiations to sell a stake to Softbank. Initially, Uber’s valuation was $68 billion. By the time the deal closed in December, its valuation dropped to $48 billion. Not all of the drop is attributable to the breach, but analysts see it being a significant factor.
- In 2014, Sony agreed to a preliminary $15 million settlement in a class action lawsuit over the breach that occurred in 2011.
What does GDPR expect from businesses?
GDPR is legally worded & presented, but it is easy to understand its general principles. GDPR wants businesses to care about data security of subjects, have a sense about rights of data subjects, and enforce responsibilities of the Controllers & Processors who manage & work on the data.
- Every business activity involving someone’s data should to be lawful, fair and transparent. This is a straight-forward expectation. No business is permitted to use data illegally, unfairly or covertly.
- What is expected to be done to someone’s data should be expected by, & known to, the person whose data it is. In other words, anyone should not be surprised with what a business does with their data.
- Businesses should gather only necessary amount of data for the purpose of carrying out their business.
- The data you keep must be accurate. Active involvement & engagement of data owner is recommended to maintain accuracy over a long period of time.
- Business should only keep data for as long as it is needed. Once someone’s data is not required anymore, businesses should delete it.
Global relevance of GDPR
Owing to the fact that the EU has spent significant time & effort in evaluating changing needs of data privacy & security, following which it came up with a robust regulatory framework, several governments internationally are changing their own Data Privacy & Security Laws to reflect elements of EU GDPR within their own regulations.
This in essence makes GDPR not a Europe-specific regulation, but an international one, although implemented & enforced by various Governments.
It is commonly believed within security circles that adhering to GDPR makes an organization automatically comply with most of global standards & regulations. This belief also extends to organizations & security professionals seeing a major change in how internet behaves.
What does GDPR mean for Consumers & why it is good for business?
Consumers in general are not against the idea of sharing their personal information with businesses. Rather they dislike it & react strongly if their trust is breached, which may be because an organization did something with their data which they did not consent for, or something that they did not expect an organization to do, or something that they clearly were opposed to when sharing their data.
And consumers are especially offended when organizations take them for granted & do something that undermines their value. This last point has been sufficiently proven by the worldwide outcry following revelations of how Facebook carelessly handed over data to Cambridge Analytica without consent.
Consumers also tend to become upset when their trust is implicitly breached when organizations do not implement adequate levels of security to protect their data and which eventually leads to a breach. In such cases, consumers are usually more forgiving, as long as the organization is genuinely apologetic & takes measures to improve their security. This case has played out several times as with Sony PlayStation, Target, LinkedIn & Equifax, all being major breaches due to lower standards of security. All these organizations followed up their breach with improved standards of security.
GDPR addresses all of these issues of consumer trust by making it mandatory for organizations to ensure that proper consent is obtained, data is handled exactly as indicated, data is never handled carelessly, adequate measures of security are implemented to protect data, control of data is handed back to consumers, & data is deleted when not required anymore.
As against earlier times, when organizations decided for themselves as to what & how they handle security, EU GDPR makes it mandatory, makes it clear & makes it explicit. Organizations have a ready set of principles on how to go about handling consumer data & what are the bare minimum set of things that they need to do while dealing with data.
Organizations do not need to self-regulate anymore. Adhering to GDPR makes it easy & makes it clear. This leads to a scenario where trust levels of consumers on businesses improve automatically. Consumers now know that organizations are adhering to a set of principles & this is why they will trust them more.
Trust is good for consumers & trust is good for business.