Don't Lose 4% of Your Company's Global Turnover Due to GDPR Regulatory Negligence
Jonathan Rouach, CEO and Co-Founder of QEDIT
In the GDPR defined compliance era, the mishandling of data has become more and more costly for enterprises from a financial and reputational standpoint. As such, a strong compliance culture should be top of the list of priorities. The importance of adopting a compliance-centric strategy has been amplified in recent years following the Cambridge Analytica scandal that rocked Facebook to its core in early 2018, shining a light on the ease at which user data could be manipulated by external actors.
Since then, a string of high profile data breaches involving the likes of British Airways, T-Mobile, and Quora have undermined trust among consumers in enterprises. Companies must now deal with the tidal wave of data-savvy citizens who are aware of how their information is used and, in some cases, abused.
New regulation such as GDPR and the impending California Consumer Privacy Act, is setting the tone for the compliance era, in which companies need to be more mindful of how and why they store and use personal data of customers. Companies can suffer up to €20 million in fines, or lose 4% of their global annual revenue, if the breaches infringe on the basic principles for processing data, including conditions for consent.
The criteria that determines the size of the fine issued depends on the scale of the infringement; whether it was intentional or an act of negligence; and what kind of preventative measures were in place. These fines aren’t reserved for medium to large sized enterprises — they apply to every business that collects, stores, and processes customer data.
The GDPR effect, one year on
While the threat of hefty fines looms large, there are a number of other lessons for companies to take heed of. When a company accidentally or unlawfully discloses the personal data of an individual, the company is obliged to report the incident to their national data protection authority within 72 hours of discovering the data breach.
Since GDPR was introduced, European data protection authorities have received almost 90,000 separate data breach notifications from companies, as well as almost 145,000 complaints or queries from concerned citizens in relation to their rights — illustrating the high levels of engagement among enterprises and citizens alike.
Aside from the fallout of several high-profile data privacy violations, the implementation of GDPR regulations has caused a paradigm shift for the emerging technology space. IoT devices must find ways of ensuring consent is obtained on all data gathered. AI systems must be built to facilitate deletion of data and secure storage. According to Gartner , privacy concerns will “drive at least 10% of market demand” for information security services through 2019.
In the case of blockchain technology, GDPR has been cited as a major potential hindrance to the widespread adoption of the technology. Privacy and ‘the right to be forgotten’ are core tenets of GDPR, while transparency and immutability are the promises of blockchain, hailed by many as a secure technology for storing data.
The seemingly incongruous nature of blockchain and GDPR has inspired projects to find workable solutions that could not only safeguard blockchain’s core values of decentralization and innovation but also create a secure infrastructure to comply with existing privacy laws. Additionally, companies are keen to avoid building tech that doesn’t comply fully with new GDPR regulations.
The dangerous financial and reputational repercussions of regulatory non-compliance can dissuade companies from collaborating with other enterprises on data sharing initiatives. One potential solution to this dilemma is Zero-Knowledge Proofs, which provide a way to prove one knows a value x, without conveying any information apart from the fact one knows the value x.
Zero-Knowledge Proofs can prove that something is true to the verifying party, without disclosing specific underlying details. This opens up a new pathway for enterprises to utilize consumer data without placing this data in unsafe, non-compliant environments. Innovations of this nature will be the key to the success of businesses in the face of regulation.
The rise of compliance culture
Proactively exploring these kinds of innovative new solutions that facilitate regulatory adherence should be part of any company’s compliance strategy, along with the adoption of a strong compliance culture that goes beyond a shallow media stunt. Over a year removed from the Cambridge Analytica scandal, Facebook recently unveiled the company’s proported ‘pivot to privacy’ strategy, starting with a redesign that places more of an emphasis on private group activity. This very public effort to demonstrate an appreciation for user privacy comes as Facebook faces a potential $3-5 billion fine from the Federal Trade Commission relating to privacy violations.
The Deloitte GDPR Benchmarking Survey reports that “the use of innovative approaches to compliance requirements can help organizations to understand the privacy impact on wider business risks and pain points, and to gain better insight into peer activity to maximize the role of privacy in the organization’s strategy”. Despite placing new restrictions on tech companies’ ability to access data in the short-term, 61% of companies see additional benefits of GDPR-readiness beyond penalty avoidance.
With fines of up to 4% of annual revenue awaiting companies that mishandle consumer data, enterprise apprehension is understandable. However, GDPR can spur the creation of dynamic new solutions, and help accelerate the development of robust corporate compliance cultures. Putting power in the hands of consumers regarding their own data represents a positive stride forward for our global society, and achieving GDPR compliance ultimately places corporations in a safer place.
The onus is now on enterprises to adopt new solutions that help them maintain regulatory compliance while also enabling inter-organizational collaboration without moving sensitive data. Zero Knowledge Proof cryptography can facilitate this vision while also strengthening the regulatory credentials of companies. The compliance era mandates increased transparency from enterprises, which could offer opportunities for businesses to use privacy to their advantage, demonstrate ethical conduct, and strengthen trust with the consumer.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.