People are increasingly fed up with their personal information being leaked. Look at the recent case with the Equifax breach in the United States. Some 143 million people may have had their most sensitive data leaked, including names, Social Security numbers, birth dates, addresses, and, in some instances, driver’s license and credit card numbers. That’s a big deal.
It remains to be seen if anyone in Equifax will face jail time, but it’s already resulted in the CEO, CIO, and CISO being forced to leave the company.
American companies could learn a lot about data protection and privacy from our friends in Europe. For Europeans, the right to data protection and privacy is a fundamental right similar to our right to free speech. This right has been further strengthened with the latest general overhaul of the data protection and privacy legislation, the EU General Data Protection Regulation (GDPR), which will apply in May 2018. Potential fines for not following the GDPR are no longer a slap on the wrist, but instead could seriously endanger a company’s livelihood. Along with increased fines, there is also talk of possible jail sentences for senior managers in cases of intentional violations. Realistically, the average employee will not likely face jail time for not following proper data protection and privacy policies, but data protection and privacy is everyone’s responsibility in a company.
So, what can you do to protect yourself and your organization’s reputation? You may want to appoint a competent data protection officer (DPO). The DPO is responsible to advise and monitor data protection compliance within the organization. Typical tasks of a DPO include:
- Inform, advise and issue recommendations to the company regarding compliance with data protection laws
- Assist with the implementation, management and monitoring of data protection strategy and the creation and roll-out of policies, guidelines and data protection awareness training
- Monitor compliance against the relevant data protection and privacy regulations
- Identify and manage risks related to data protection, and escalate data protection risks and issues to executives, as needed
- Cooperate with the designated supervisory and other data protection authorities, and consult, where appropriate, on issues relating to data processing
- Provide advice where requested as regards the Data Protection Impact Assessments (DPIAs) and monitor their performance accordingly
Under the GDPR, it will become mandatory for certain companies to designate a Data Protection Officer. This will be the case for all public authorities and bodies that process personal data, and for other organizations that – as a core activity – monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale. The Article 29 Working Party has provided additional guidance (paper 243 – PDF download) on the topic.
Getting back to the Equifax example. If Equifax was subject to the upcoming GDPR regulation, they could have faced a fine of around $62.9 million (based on its 2016 operating revenue of $3.145 billion) for not reporting the data breach earlier – and senior management may have faced criminal charges. A good DPO would have advised the company to come clean immediately. Unfortunately for them, they did not do that and Equifax is now a household name in the US – for all of the wrong reasons.
Learn more about how SAP SuccessFactors can help you prepare for the General Data Protection Regulation here.