May 2018 marked the onset of a series of data protection changes that appeared would impact just one part of the world. At this time, the European Commission enforced the General Data Protection Regulation (GDPR), thereby intensifying personal data protection standards for EU-participatory companies. Any corporation operating or conducting business in the EU became subject to the updated criteria, whether an entity directly registered in the region or a foreign business targeting EU consumers.
The general objective of the regulation is to restrict the processing of personal data—including its collection, maintenance, and usage—to authorized personnel only. The sharpened limitations for data processing function to provide consumers greater privacy and autonomy over personal information. For companies, its enforcement meant that the stakes for accountability were much higher and much costlier.
Failure to Comply
Some corporations’ failure to comply with the GDPR was witnessed almost immediately. In September of 2018, British Airways became subject to a 15-day security breach, during which hackers obtained access to the personal data of 380,000 customers. The cyber-attack, which was carried out via the manipulation of BA’s baggage claim webpage, resulted in the Information Commissioner’s Office (ICO) issuing the airlines company a fine of 230 million USD.
Last month, Marriott Hotel experienced the repercussions of violating GDPR by proxy, following its merger with Starwood Hotels and Resorts. When it was exposed that Starwood was at the center of a nearly 4-year security breach involving a surveillance-equipped Remote Access Trojan, Marriott was dealt a fine of 123 million USD by the ICO. As the GDPR came into effect just over a year ago, the EU supervisory councils for data protection show no indication being lenient when it comes to violations.
With GDPR-issued fines multiplying, how has the regulation served as a model worldwide for companies accountable for personal data?
Companies Respond to the GDPR
In fear of violating the GDPR, companies have made major changes to cybersecurity infrastructure, and not just in the EU. Many foreign corporations have adopted practices that mirror GDPR compliance. Most U.S. companies, for example, currently have on staff a Chief Information Security Officer—a position not otherwise common even ten years ago. Additionally, many company websites now incorporate regulatory pop-up notices, prompting users to consent to privacy policies.
The global push for heightened data security and privacy works to earn consumers’ trust. This worldwide trend, however, may not remain a voluntary practice for long. In January of 2019, Japan’s own Act on the Protection of Personal Data came into effect, putting in place similar stipulations as the GDPR. In 2020, the California Consumer Privacy Act will likewise be enforced, which essentially serves as a U.S., state-level version of the GDPR.
A Preemptive Strategy
Higher standards for data protection decrease the risk of unauthorized access, but they do not necessarily mean breaches will become less common. Compliance has not brought about a dramatic reduction in security breaches, and it is unlikely that data can ever be fully safe from outside attacks.
“Compliance has not brought about a dramatic reduction in security breaches, and it is unlikely that data can ever be fully safe from outside attacks.”
Instead, GDPR has encouraged companies to be more mindful of the various risks their systems can fall victim to and to be prepared when an issue arises. With a 72-hour window to report security breaches, corporations are prompted to react faster and more efficiently to avoid lofty fines. A heightened value of data protection has become the norm for most companies, and the trend will help prepare them for updates in data protection laws worldwide.
Where does the GDPR Fall Short?
Under the umbrella of heightened data privacy is the GDPR’s policy for criminal background procedures. It does not allow for criminal background investigations to take place unless the processing is conducted by a European official, or the processing is authorized by the EU. This proves an issue for areas of due diligence, specifically for organizations tasked with vetting entities against anti-bribery and anti-corruption practices.
In the U.S., those working under the Foreign Corrupt Practices Act (FCPA)—which prohibits companies from bribing foreign officials for commercial purposes—may face challenges to avoid violating the GDPR. Organizations responding to whistleblowers meet a similar problem. In cases where whistleblowers disclose their personal information while reporting internal corruption, respondents may find themselves unable to process the personal data. To a degree, anti-corruption practices are forfeited with the prioritization of data privacy. As more nations become fixated on the GDPR while beginning to update their own data protection policies, the push for more clarity in due diligence exceptions may emerge in the early years of GDPR and its foreign imitations.
Anna Rose interned in Prescient’s Due Diligence practice. She graduated from DePaul University with majors in Arabic Studies and International Studies, and will be spending the next nine months studying in Jordan as a Boren Scholar.