2017 looks to be the year when privacy and data security compliance expectations here and across the Atlantic become clear and compelling for U.S. companies. Companies know that huge privacy and security fines lurk in the European Union, but they may not truly understand the seismic changes coming to Europe’s privacy regime.
At home, U.S. boards loathe consumer, market and regulatory scrutiny that follows data breaches — just ask Yahoo. They undertake (or delegate) data security risk analysis and mitigation, and begrudgingly budget (not enough) for cybersecurity. But the significance of nitty-gritty data security regulatory enforcement standards and data breach class litigation likely aren’t on the boardroom radar.
A last best chance awaits companies in 2017 to effectively educate themselves about these issues and invest in necessary legal and technical resource-building.
The EU Data Protection Regulation Tidal Wave
It is hard to overstate to companies the importance of using 2017 to get ready for EU privacy and security changes. In May 2018, the new General Data Protection Regulation (GDPR) takes effect as a replacement for the present, two-decades-old privacy framework.
Under the new GDPR, companies must notify privacy regulators within 72 hours of discovering a data breach. Also, many companies must name data protection officers, and all businesses will face tighter consent obligations for using personal data.
Additionally, there are the dizzying maximum fines of 20 million euros ($22.5 million) or up to 4% of a company’s global revenue. For example, Alphabet’s Google had $60.6 billion FY2015 global revenues, and 4% of that total is $2.4 billion. That would be a pretty steep fine for a single GDPR violation. It is highly unlikely that the EU will seek such astronomical sanctions, but the possibility of that kind of bottom line impact should motivate companies to better prepare for the GDPR.
Companies should benchmark their existing EU compliance program against the new GDPR. Breaking the task into piece-by-piece chunks can make the project more digestible.
FTC Data Security Enforcement Authority Clarification
For nearly 15 years, the Federal Trade Commission (FTC) has taken action against companies that it felt weren’t doing enough to protect consumers’ personal data. But critics argue the commission is operating without direct authority to carry out such enforcement and is asking companies to meet unclear standards about what is reasonable data security.