With the invalidation of the EU-US Safe Harbor agreement in October 2015, and the introduction of its successor, the EU-US Privacy Shield, privacy compliance has been front of mind for businesses and consumers alike. Focus on privacy is only set to intensify with constantly evolving policies being put into place by various lawmakers, social networks and agencies.
But a recent survey shows that 95 per cent of large enterprises are only “somewhat aware” of their legal obligations when it comes to complying with today’s privacy regulations. It’s important that businesses of all sizes understand the cost of non-compliance, as well as the price of manually managing policies in-house. It’s therefore vital to understand how businesses can save time, money and resources managing many of these regulations.
With just five per cent of large enterprises claiming to be fully aware of their legal privacy obligations, it’s easy to see why businesses are often faced with the consequences of non-compliance, which can result in significant fines and even imprisonment. Financial services and healthcare brands in particular face a multitude of legislation.
Some key privacy laws and the costs for violation include:
- UK Data Protection Act 1998: Controls how personal information can be used and your rights to ask for information about yourself. Penalties can be up to £500,000 for a data breach (Dataerasure).
- Russian Data Localisation: This legislation maintains that all Russian citizens’ personal data must be stored on Russian soil and all server locations must be made known to Russia’s communication authorities. The government will block infringing websites and all violators and details around their violations will be added to a roster. Violators will also be fined (Morrison & Foerster).
- PCI Standard: Designed to ensure that all merchants who process, store or transmit credit card information maintain a secure environment. Penalties for non-compliance include fines of up to £50,000 per infringement, increased transaction fees and terminated bank relationships (Security Active).
But lawmakers and institutions are not the only ones holding businesses accountable when it comes to data privacy – companies must also answer to their customers. As data becomes the linchpin of business success, consumers are growing increasingly wary of how their personal information is being used.
A recent survey revealed that 90 per cent of consumers are at least somewhat concerned about their privacy. What’s more, the number one thing that would make them feel more comfortable about providing their personal information is knowing that the data would be used only by the company that they are sharing it with. Fines and fees aside, the most significant cost of non-compliance is losing customer trust and relationships.
Although the cost of maintaining privacy compliance is not nearly as high as non-compliance, according to the most recent compliance report from Ponemon Institute, it still costs businesses a pretty penny.
Source: Ponemon Institute
In fact, a recent Data Protection Compliance Report by IT Governance shows that monetary penalties were more severely enforced for online breaches and cyber-attacks, costing companies an average of £52,308 per incident.
In addition, results from Thomson Reuters Cost of Compliance 2015 survey found that two-thirds of respondents expect skilled compliance staff to cost more, which is in line with the two-thirds who expect their available budget to increase.
So, how can businesses today mitigate the fiscal costs of privacy compliance, as well as minimise the resources needed to monitor and manage evolving regulations?
Automating compliance with CIAM
Best-of-breed, cloud-based customer identity and access management (CIAM) solutions can offload much of the cost, resources and risk from businesses when it comes to maintaining privacy compliance.
For example, a multi-billion pound media company recently adopted a CIAM platform to help manage customer authentication, identities and data for its portfolio of more than 60 websites across 10 countries. With data centres stationed across the globe, this platform has saved the brand significant development time and resources that would otherwise be spent managing regional privacy regulations.
For brands looking to implement social login, a means of authentication that grew by more than 35 per cent from 2012 to 2015, CIAM manages the privacy policies of global third-identity providers like Facebook, LinkedIn, PayPal and Sina – all through a single application-programming interface (API). Harvard Business Review claims to have saved approximately four weeks of development time each year after offloading social login functionality and compliance to its CIAM solution.
Finally, when it comes to traditional authentication, CIAM also gives businesses the flexibility to structure registration forms and flows in keeping with regulations.
All of this can be done at a fraction of the cost needed to retrofit legacy technology and identity and access management (IAM) solutions to keep pace with modern privacy needs. Support and maintenance costs for legacy technology, of which privacy compliance composes a sizeable portion, are approximately 25 per cent of licensing costs. In contrast, privacy maintenance is included at no extra cost by purpose-built CIAM providers.
There’s no doubt about it: privacy can be pricey, whether your business is keeping up with compliance or facing the consequences of violation. Solutions exist to help businesses operate in the best possible way and not rack up sizeable costs because of non-compliance.
Richard Lack, director of sales EMEA, Gigya
Image Credit: Shutterstock/donskarpo