Could a data breach be worse than a fine for non-compliance?

null

Much has been written about the business impact of GDPR and other regulations. However, although being found to be non-compliant can result in a shockingly high fine, is this worse than a damaged reputation, with all the loss of business that can ensue?

What makes regulatory compliance so complex is that there is no ‘one-size-fits-all’. Each regulation has a different focus, with different rules aligned to its individual purpose, sometimes with conflicting requirements. For example, financial institutions must comply with anti-money laundering (AML) and fraud regulations involving strict controls on transaction reporting. Yet AML compliance must be in line with GDPR which focuses on the capture, using, securing and discarding of customer personal data.

However, leaving the question of fines for non-compliance aside for a moment, the ultimate purpose of these regulations is not to increase workload, but assure data is reported accurately, protect it from inappropriate use and to identify possible illegal activities. Unfortunately, many companies first find out that they are not adequately managing and/or protecting their data before a visit from the regulators – rather when they experience a data breach.

The impact of a data leak

When data leaks occur without public disclosure, severe financial and reputational consequences can occur when the incident is finally disclosed.  Take, for example, the Yahoo breach and the Facebook/ Cambridge Analytica debacle, which, while not a breach, involved questionable handling of private data.

Between 2013-2014, almost three billion Yahoo user accounts were affected in a hacking attack, making it the largest data breach in history and yet, it took over two years for Yahoo to report it. The impact of the breach was significant to Yahoo’s reputation, costing the company real money. Not only did Yahoo face a $23 million fine from the SEC but the incident also threatened its acquisition by Verizon, who cut the deal by $350 million.

This year’s Facebook/Cambridge Analytica scandal shows the potential damage when the use of data cascades out of control. The story involves the unauthorised use of personally identifiable information of up to 87 million Facebook users. While the data was harvested through permissions given by a third-party quiz, questions were raised about how the data was provided to Cambridge Analytica and what rights they had to use it.

Facebook’s share price dropped 8.5 per cent and, more importantly, polls showed a 66 per cent drop in consumer confidence in Mark Zuckerberg who was subjected to US Congressional and EU scrutiny. Just 28 per cent of the Facebook users surveyed after Zuckerberg’s testimony believed the company is committed to privacy, down from a high of 79 per cent just last year.

An organisation must know the location of the data, if they have the right to use it, afford the requisite level of protection, be immediately aware when it has been breached and know the population of individuals affected. The institution must also know where their data flows and track it to ensure it is not subjected to improper or disallowed use. If an organisation fails to manage its data along this complete journey, the regulators will be the least of their worries.

Fines are, after all, typically a one-time event – and a successful company can often quickly recover from the financial setback. Reputational damage is different, since it has significant public exposure, and especially when customers lose their trust in a brand the result is an impact to the company financially in the long run – not just directly through loss of business, but also through a drop in market value.

However, understanding how data travels across an organisation’s diverse number of platforms, services, movement outside the organisation, and how data interacts with third-party web services and APIs can be an overwhelming task. The process is necessary in order to put in place the basic recording, inventorying and reporting processes in order to maintain compliance over time.

Technology is not only helpful in this process – it is essential to achieving and maintaining compliance. Automated discovery and data lineage creates and maintains transparency. Reporting supports an “audit ready” position so supervisory authority inquiries can be answered without a fire drill, while data intelligence change detection prevents new problems from sneaking in.

Many companies are finding that a data catalogue will ensure that any user can easily access and use data as needed. A software-driven or intelligent data catalogue can locate even the most complex data within a data estate, ready for analysis and decision making. This will enable users to spot personal information amongst new data and a data lineage version comparison alerts them to changes in how that personal data is handled.

Technology solutions such as Data Intelligence can go a long way to providing peace of mind here. Intelligent Data Analysers examine data and metadata to promote comprehensive understanding, including detailed automated data lineage for insight at a deeper level. Out of the box reports assist with GDPR compliance, offering a GDPR inventory dashboard and a set of reports summarising Privacy Impact Assessments (PIAs).

These and process maps that show how protected data moves through the organisation are critical to data security and compliance. These can show where data is vulnerable and if and how it moves to outside processors or outside protected areas. The company will need to record that protections are in place through model agreements and binding corporate policies. 

Today’s reliance on data to fuel predictive analytics means businesses believe there is value in keeping data lakes for future business goals. However, on the whole, they need to become better at discarding what is not necessary and GDPR helps by being very specific about when information is supposed to be deleted.

It may sound complex, but with the right technology it becomes nothing less than best practice as well as good protection against losing customer loyalty and, of course, those extortionate fines.

Jesse Canada, Enterprise Data Management Lead, ASG Technologies
Image Credit: Balefire / Shutterstock