Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

The Global Reach of GDPR

It isn’t that no one saw it coming.  After all, today’s regimen of European Union General Data Protection Regulations had been crafted under public scrutiny since 2012 and in full force since May 2018.  But its implementation left a degree of uncertainty, particularly among multinationals.

It isn’t that no one saw it coming.  After all, today’s regimen of European Union General Data Protection Regulations had been crafted under public scrutiny since 2012 and in full force since May 2018.  But its implementation left a degree of uncertainty, particularly among multinationals.

In essence, the GDPR requires corporate and state custodians of personal data to secure that information in order to protect the privacy of European citizens, as well as banning the export of personal data to countries outside that region.  Violations, according to the protocol, could result in fines as high as 4 percent of an organization’s annual revenues. 

Before the new law went into effect, lamentations over the size of prospective fines were widely heard, and during the first year the regulations were in place, GDPR did, in fact, cite a number of violators.  Fines totaling $56 million were levied against those named.  That is not a trivial amount, but for multibillion-dollar companies, it’s a comparatively minor cost of doing business.  So, while GDPR did provide for significant fines, following their first years’ experience, many businesses felt fines would remain relatively low.  

Then came news of a 2014 breach at Starwood Hotels & Resorts – one that resulted in a major loss of customer data including passwords, payment card numbers, and other personally identifiable information.  Marriott, which acquired Starwood in 2016, may not have known about the breach or fully understood its significance at the time.  But being hit with a $124 million fine for the incident in 2018 – approximately 2 percent of the organization’s annual revenue – was certainly a wake-up call for the global hotelier.  

It also served as a wake-up call to other companies considering mergers and acquisitions.  Marriott clearly got more than it bargained for when it acquired Starwood, with significant implications for its balance sheet.  What it initially saw as a competitive advantage morphed into a financial burden, in addition to damaging its reputation among potential guests.  Without evaluating the cyber risks to sensitive data held by an acquisition target – without confirming the presence of robust detection and response capabilities around that data – the liability associated with its compromise becomes an unwelcome part of the bargain. 

GDPR Policy

Something similar happened in 2017, after two massive breaches of Yahoo data were disclosed at a time when the company was about to be acquired by Verizon.  As a result, the terms of the sale abruptly changed.  Verizon ended up paying $350 million less than it originally offered.  Beyond that, the two organizations agreed to share the legal and regulatory liabilities resulting from approximately 1.5 billion hacked accounts. 

This year’s fine against Marriott also punctured another widely held belief in Europe.  Prior experience with issues involving personal information suggested that, once the GDPR was in place, the social media giants – the Facebooks and Googles of the world – would be its primary targets.  Although social media remain of keen interest to regulators, the Starwood incident showed that the circle of potential wrongdoing extends to other types of businesses as well. 

GDPR did not, however, create a cyber police force to search for violations.  Instead, a key component of the protocols involves self-reporting of breaches.  Organizations are required to report the exposure of personal data to regulators and affected individuals within 72 hours after becoming aware of such breaches.  Reportable breaches could be as minor as an inadvertent BCC sent to someone, or as major as a detailed customer database exposed online.  IAPP – the Information Assurance and Privacy Practitioners – recently issued a study of what happened the first year of GDPR.  Throughout Europe and its partner nations, between May 2018 and February 2019, regulators received approximately 59,000 breach notifications; 91 of them resulted in fines, most of which were relatively small.  However, in the view of many observers, the actual number of breaches may be far greater, many of which could involve the exposure of thousands or even millions of files. 

Advertisement. Scroll to continue reading.

The drive to protect personal data is not unique to Europe.  While national legislation may be a victim of partisan gridlock, the U.S. Federal Trade Commission recently approved a $5 billion fine against Facebook for mishandling users’ personal information.  Singapore has its own Personal Data Protection Act, similar to GDPR.  Australia has its Privacy Principles.  Even South Africa has a detailed privacy protocol.  

But while the world has witnessed progress in the protection of personal data and in the priority given to third-party risk management, significant cultural differences affecting the ownership of information remain.  In the United States, for example, many types of data which would be considered off limits in Europe are openly collected and freely exchanged.  For companies based in the U.S. with customers and files in many different countries, reconciling conflicting practices and laws is likely to remain a serious headache for years to come. 

RelatedAnalysis Shows Poor GDPR Compliance in European Websites

RelatedFirst GDPR Enforcement is Followed by First GDPR Appeal 

RelatedGDPR Complaints Filed Against Eight International Streaming Companies 

RelatedGDPR: One Year Down – Now What? 

Related: One Year on, EU’s GDPR Sets Global Standard for Data Protection

Written By

Alastair Paterson is the CEO and co-founder of Harmonic Security, enabling companies to adopt Generative AI without risk to their sensitive data. Prior to this he co-founded and was CEO of the cyber security company Digital Shadows from its inception in 2011 until its acquisition by ReliaQuest/KKR for $160m in July 2022. Alastair led the company to become an international, industry-recognised leader in threat intelligence and digital risk protection.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Government

The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...