Since its implementation in May of 2018, GDPR has been the subject of much discussion but little concrete action by many companies on both sides of the Atlantic. GDPR outlines stringent requirements for data and privacy protection for EU and EEA citizens, but many organizations have struggled to fully understand much less implement compliance programs to meet these requirements. The threat posed by GDPR-driven fines has until recently seemed a vague one for many companies — applicable only to IT giants like Facebook, Google, and Microsoft.
This week the cost of non-compliance with GDPR became much more concrete with the news that by the U.K.’s Information Commissioner’s Office (ICO) has levied massive fines against both US-based Marriott International and UK-based British Airways. Marriott’s £99m in fines stem from multiple data breaches in 2014 and 2016 that compromised the privacy of more than 500 million customers. British Airways (BA) saw an even larger £183.39 fine as the result of a 2018 data breach that exposed the credit card information of hundreds of thousands of BA customers.
Two points are worth noting for businesses looking to avoid a similar fate: 1.) Both companies have traditionally been seen as good stewards of customer trust, and are highly regarded brands, and. 2.) the scale of these fines, while enormous, as still less than the maximum permitted under GDPR’s guidelines (1.5% of BA’s revenue and 2.4% of Marriott’s revenue versus the 4% permitted under GDPR). In other words, if massive fines like these can happen to well-run companies like BA and Marriott, they can happen to anyone who has failed to account for new data privacy realities.
The lessons for companies looking to avoid GDPR fines and retain their customers’ trust are clear. Know where your customer data lives, ensure that it is appropriately secured, and work actively to govern that data to minimize risk. Since enterprise applications and data sources are often far-flung and diverse, flexible tools for discovering what’s out there and better governing it via coherent policies are essential to assessing and addressing any vulnerabilities.
Everteam works with organizations around the world to give them visibility into structured and unstructured data across their enterprise, wherever it lives. Our products identify sensitive information and provide tools to better manage it for improved compliance, lower IT costs, and better operational efficiency. For those looking to reduce their liability, avoid fines, improve service, and enhance customer trust, Everteam is there to help. We work with some of the world’s leading brands to navigate the regulatory hurdles posed by GDPR, CCPA, NYDFS, and a host of other data privacy protections being enacted by regulators worldwide.