Since its inception, the General Data Protection Regulation (GDPR) has changed the way we think about personal data and how it is protected globally. Individuals have a new awareness, organizations have been forced to implement technology and processes for readiness and responsiveness, and country and state governments have reassessed local regulations. After a two year lead up to enforcement, it was 2019 that saw the first substantial penalties roll in. Let’s take a moment to reflect…
Who’s felt the wrath of the regulators and why? The most frequent penalties to date have been associated to data breaches (insufficient technical and organizational measures to ensure the security of personal information), or the misuse of personal information (lacking legal basis for processing). The most significant penalties announced by the Information Commissioner’s Office (ICO) were to British Airways and Marriott International, with fines of US$230M and US$123M respectively for data breaches.
What’s more interesting is that the true potential financial impact GDPR has indirectly been highlighted by events that occurred prior to it coming into effect. The ICO fined both Equifax (September 2018) and Cathay Pacific (March 2020) £500,000. This was the maximum penalty relative to a data breach that occurred prior to GDPR coming into effect. If those breaches had occurred post May 25th, 2018 the fines would have been significantly more debilitating.
How has the regulatory landscape evolved? Regulations that emulate certain aspects of GDPR have come into effect globally. Brazil’s LGPD, India’s Personal Data Protection Bill and US states including California, Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, and Washington have introduced similar privacy laws. The California Consumer Privacy Act alone accounts for the protection of personal data of it’s residents, roughly 10% of the US resident population.
2020 has brought new, unexpected challenges. The COVID-19 pandemic is now a global health and economic crisis. What does this mean relative to GDPR?
· From a general data protection perspective, COVID-19 has brought fresh focus to how we share information, even where it’s stored, and potentially increasing probability of data breach.
· Recital 46 details exceptions for data processing where it’s necessary to protect life and specifically mentions when it’s necessary to monitor the spread of epidemics. Although to date, there are 4.5M+ reported infections and 300K+ deaths globally as a result of the COVID-19 pandemic, this isn’t a blanket exception as the legal principles of processing of personal data that can help shift the tide in further spread is undoubtedly an exception.
· On the individual level, the concepts of immunity passports or the introduction of ‘antibody cocktails’ to temporarily provide immunity have the potential to raise data privacy concerns if these were used to facilitate safer travel without definitive scientific evidence of effectiveness. With who and how would this information be shared? This is sensitive personal information which would need to be passed between, government agencies, health, and travel related organizations.
Regardless of global shifts, we know that organizations with broad data hygiene are better prepared for GDPR compliance now and likely better able to manage any future changes in regulation. Data hygiene in concept is simple - keep only the personal data necessary, store and protect that data appropriately, delete data that is obsolete and mitigate risk. Bottom line, now more than ever, understanding where personal data resides is fundamental for operational and reputational success.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.