GDPR

GDPR Places the Onus of Data Protection on Organizations

It was the hack of Yahoo’s! one billion customer accounts in 2016 that caused the crash of the company’s value in the deal it had spent months thrashing out with Verizon. The cybersecurity breach nearly scuttled the US$5 billion transaction. The hack impacted the lives of individuals from nearly every country in the world connected to the internet.

If such an incursion happens again after May 2018 any company whose EU customers have been impacted will be found in violation of the new EU rules on data privacy and account protections called GDPR.

GDPR Hits Companies in the Pocketbook

The Yahoo! case in particular serves as a cautionary tale for what the EU’s General Data Protection Regulations (GDPR) mandate requires of organizations. EU National Data Protection Authorities (“DPAs”)  will enforce how organizations handle personal data. Companies and institutions incorporated in EU countries will be responsible for the proper protection of personal data they collect and maintain. Most of the companies will also have to modify the ways in which they relate with customers about the data, and what they should do in the event of a data breach.

The intent of the GDPR is to give persistent control to consumers over personal data in light of the belief that market forces may fail in that regard, according to Will Ackerly, CEO and co-founder of Virtru. The EU will heavily penalize organizations that do not honor binding privacy agreements with consumers. Violators will find themselves saddled with a financial penalty of 20 million euros or four-percent of their global revenues, whichever is the greatest.

In the case of the Yahoo! Data breach, the company would have been fined US$200 million for the break-in if the GDPR were in place at the time, as its worldwide revenues as reported the year before had been over US$5 billion.

However, many details of how the penalties will be decided and applied to the plethora of potential sins corporations may commit remains to be announced. GDPR provides individuals a great many consumer rights that Yahoo! had at the time dismissed without penalty by any government body anywhere in the world.

Power to the People

Probably the most egregious act of willful negligence on Yahoo’s! part was its delay in informing customers and shareholders that the data breach had actually occurred three years before, in 2013. GDPR regulations will require companies notify the individual account holder within 72 hours of a data breach. Such negligence would have fallen under the same monetary penalty as the breach itself. It is unclear, however, whether DPAs will consolidate corporate missteps and apply a single financial penalty to the offending organization.

GDPR rules will almost certainly impact the digital advertising revenues companies like the former Yahoo! have come to depend on. When GDPR takes effect companies will have to give current and potential customers explicit opportunities to decide how organizations can use private data.

For instance, companies will have to display explicit online means upfront through which customers can agree to have the companies use their information at all. Individuals also have the right to deny use of their information for direct marketing purposes. And any time a user would like to see a record of how a company uses their information, the organization must present a report to the user.  

Privacy Bill of Rights

GDPR protects a wide range of personal data, including:

  • Basic contact information such as name, address and ID numbers;
  • Web data such as location, IP address, cookie data and RFID tags;
  • Health and genomics data;
  • Biometric data;
  • Racial or ethnic data;
  • Political leanings;
  • Sexual orientation.

Of course, GDPR also protects an individual’s financial and banking data, which are prime targets of criminal gangs.

Mobile Apps May Be Defenseless

An enterprise that has had its customer accounts hacked through the mobile applications it rolls out internally or to its customers will still be held culpable by GDPR standards. The most effective defense in this instance is application shielding.

Application shielding provides a critical layer of cyber security protection to applications. Most antivirus software works at the network or operating system level. Application shielding technology, though, acts like white blood cells that protect a particular organ in the body from attack.

The Cost of Privacy Negligence

Yahoo! lost US$350 million in its deal with Verizon, settling on a final sale price just under US$4.5 billion. If negotiations had occurred just one year later, Yahoo! would likely have also lost hundreds of millions of dollars more to DPA enforcement of GDPR.

Though many companies expect to pay penalties in the first year GDPR is rolled out, data security can certainly be tightened to reduce the opportunities for the theft of personal information. Application shielding is one of the most effective technology defenses organizations can implement to bolster their chances of avoiding steep fines and public relations disasters.