For the past 2+ years I have been talking about 4 percent of annual turnover. While talking to corporations about educating their staff on privacy, or convincing IT departments to take a more active role in data stewardship, I have been saying things like, “It’s better to be educated and take some action than to wait and see.”
Well, if you’ve been paying any attention to the news, it looks as though the wait time is over. The General Data Protection Regulation has been in effect for more than a year, and we are beginning to see some hefty fines getting doled out. As you would expect, regulators are eyeing some of the largest players dealing in personal data (think Facebook and Google).
That being said, the first major hits were to organizations you might not think of — well, certainly not in terms of dealing in personal data — Marriott and British Airways!
Marriott International, headquartered in Bethesda, MD, managed to get a whopping $123 million, and British Airways, headquartered in the U.K., almost twice that much at $230 million. Interestingly, both fines come in at approximately 1.5 percent of their respective annual turnover. This is significant, for sure, but the GDPR’s maximum fine is 4 percent. It will be interesting to see what types of violations this sum is being reserved for — presumably flagrant misuse of personal data.
Let’s take a look at the Marriott fine: Here we have a U.S. based company with a global presence hit with a fine that could certainly wipeout smaller organizations and, in fact, represents a decent blow to Marriott (if it stands). It’s a great example of why I’ve been preaching to U.S. businesses for years. While many organizations understood the risk and took action, many others did not. I recall one response to my GDPR speech that went something like, “Well, we just won’t sell into the EU anymore. Why would we take the risk?” As you might imagine, the director of sales was having no part of that and offered the room an education in the importance of the EU market to their future growth.
The fact is, today, if you want to grow your business anywhere you have to attend to data privacy. Most often, however, when I’m giving my pitch in the U.S. market I see that privacy remains an enigma. Many people know it’s important, and that they probably should take some sort of action, but they just don’t know where to start. On top of that, they have valid fears that what they learn will end up costing them, which is often true on the front end — but it may end up saving you plenty in the long run, just ask Facebook.
The bottom line is relatively simple: Be fair and ethical in your handling of personal information.
Data privacy doesn’t have to get in the way of productivity if done right, in fact it can go a long way toward building brand trust and reputation — huge business drivers in today’s market.
So, get educated, and start with these few guiding principles:
- Tell people what information you’re collecting and what you plan on doing with it — and then only do those things with it.
- Offer people choices in how you use and disclose their information — and then respect those choices.
- Limit the amount of information you collect to only what you need for the reason you’re collecting it — and get rid of it when you’re done with it.
- Allow people to review the information you hold on them — and correct it if necessary.
- And finally, keep information safe and secure — and let people know if it’s been compromised.
Data privacy is here to stay, the California Consumer Privacy Act will be in effect before you know it and other laws are on the way, you will need to pay attention. If you are unsure on how this will effect you and your organization call us, we can help.