GDPR is thought to be one of the most comprehensive data privacy regulations in the world. The consequences of breaching GDPR are harsh — with potential fines of up to 20 million euros or 4% of annual revenue (whichever is greater). And the incoming ePrivacy regulation will clamp down further on online privacy. However, data privacy compliance has slipped down the agenda during the pandemic, and we may soon see numerous high-profile violations come to light. What is the current situation, and how concerned should organisations be?
In order to survive the pandemic, many companies underwent significant digital transformation, rushing to get their services online to meet shifting customer needs. For example, in May 2020, a reported 40% of surveyed organisations were fast-tracking their move to the cloud in response to COVID-19.
With the focus elsewhere, there have been doubts over whether data privacy has been properly embedded into new digital processes. GDPR also sets out expectations about how data must be protected against cybersecurity risks and unauthorised access, but a recent survey found that 92% of respondents were worried about cloud misconfiguration breaches. The shift to remote work further increases vulnerability to both data privacy violations and cybersecurity breaches.
Regulation enforcement was relaxed in the early stages of the pandemic; however, companies are now expected to ensure compliance. Organisations that cannot do this will face financial and reputational consequences.
Recent security breaches and scandals have increased public awareness of data privacy. For example, political consultancy, Cambridge Analytica, caused outrage after it was revealed they had improperly obtained the private psychological profiles of Facebook users, and this data was then used for political gain.
The Information Commissioners Office (ICO) reported a large increase in helpline calls (24.1%) and live chat requests (31.5%) in 2018 compared to the previous year. The majority of these queries were regarding subject access, suggesting that members of the public want to know how their data is being handled. According to McKinsey, 87% of surveyed people said they would stop doing business with a company because of concerns over security, and 71% would stop if the company gave away sensitive data without permission. Therefore, not addressing data privacy concerns could have a severe and detrimental impact on business demand.
Physical safety has had to be prioritised over data privacy during the pandemic — and most regulation, such as GDPR, includes government exemptions for such situations. Contact-tracing and symptom-tracking apps have been launched to gather information on and reduce transmission of COVID-19. However, there have been concerns raised about unclear purpose specification, data minimisation, data sharing and risk of re-identification.
Such apps rely on mass download to be effective. In the UK, 1 in 8 people who test positive for COVID-19 are not reached by contact tracers. A further 18% provide no details for close contacts. While the reasons for this low co-operation are complex, lack of public trust is clearly a factor that can undermine the efficacy of such applications.
Integrated data privacy
While the pandemic is an extreme situation, it provides an example of how seriously consumers are taking data privacy — that they may refuse to use an application they distrust, even when that app is intended to serve the public good. A growing number of experts believe that the way forward is to integrate privacy into all technology, and that not doing so will create a ‘giant security vulnerability for the population.’ In addition, new technologies, such as artificial intelligence, can help to ensure that only essential data is collected and stored.
It’s understandable why data privacy has taken a backseat during the pandemic — many organisations have had to radically transform their practices and support a sudden shift to remote working. However, consumers are increasingly likely to cease doing business with a company that misuses data and/or doesn’t keep data safe. Failure to comply could result in both hefty fines and loss of business. With such clear consequences, it’s clear that organisations must prioritise data privacy before it’s too late.