We’ve reached that time of year when everyone is basically in summer mode – non-work plans being made, last day of school or first day of camp lunches being packed, the inevitable first sunburn (for me, not the kids). It’s the time of year when there’s also a downshift in activity, and (even in the litigation world) things begin to slow down. Throw in the World Cup, and things basically grind to a halt. It’s also the time for mid-year reviews, where you talk through and think about your progress since the beginning of the year. That’s not a bad idea for your data security and privacy plans, either, given how long ago January feels.
We started this blog by talking about the notion of 2018 as the “Year of DataSec,” and how the onset of the GDPR would bring privacy protection to the forefront of our collective discussions. For a time, it seemed like that was universally true, with GDPR gaining such public attention that it was (ever so briefly) a more popular search on Google than Beyonce, whom, we can only assume, unexpectedly dropped her latest album to ensure that this never happened again.
You might assume, then, that everyone is finally on board with data security and that, at long last, I can stop blogging about it. And from the simultaneously apocalyptic-yet-messianic media coverage of the Regulation, you might think that, by now, surely the GDPR has done its job and companies worldwide have learned to balance commerce, privacy, and technology for the good of all.
Nah.
If we were giving mid-year reviews on data security and GDPR compliance, there would be plenty of good to note. Some companies have built compliance regimes that will stand them in good stead. Others have made admirable efforts to improve their operations, and should feel confident that they are on the right track. Others, though, seem to have fallen into one of two categories when it comes to compliance, each of which presents serious risks.
Group One – The “Huh?” Squad
These businesses seem shocked that the whole “privacy” thing was for real, and they are not rare. A sizable portion of American and European businesses looked at the GDPR, and seemingly concluded that it just wasn’t going to be a big deal or that it was such a big deal that they couldn’t do anything to prepare.
Doing nothing, in our view, presents the biggest enterprise risk, which is to say that if you do nothing, the chances of being catastrophically hacked go way up. It isn’t the case that building a GDPR compliance program will guarantee that you aren’t hacked, far from it. But it is certainly true that attempting to build a security apparatus that complies with Article 30 will give you at least a baseline of security measures designed to deter hackers. Compliance, in a sense, has a built in mechanisms for protecting your business from unwanted intrusions.
Without the time and resources devoted to data security, it is simple to fall into the trap of thinking that the risks of a breach are low. They aren’t. If you’re interested in seeing just how bad it is, go to https://haveibeenpwned.com/ and enter your email address to see if it’s been compromised. Now enter a password you use to see if it’s been compromised. Terrifying, right? And if you’re fortunate enough to have neither a pwned email or password, how long do you think that will remain the case if you haven’t done even a minimal data security upgrade?
Essentially, doing nothing is the worst kind of risk, because, in the event that something goes wrong, it doesn’t even allow you the benefit of saying that you tried. Is data security expensive? It can be, but certainly no more expensive than a serious breach. Is compliance complicated? Sure, but that’s no reason to not do it. Filing a tax return can be complicated, but we all do it, both because it’s the law and because the long-term consequences of failing to comply can cause major complications down the line. You have to view data security and privacy in the same way, as an investment in your company’s own wellbeing. Otherwise, you may well find yourself in a position where you wonder why you didn’t take the warnings seriously after it is too late.
Group Two – The “Meh” Squad
When I just said doing nothing is the “worst” kind of risk, perhaps that was too far. Because it is also a very, very bad idea to start a plan and fail to follow through. We’ve discussed this before, but the biggest issue with saying that you follow certain standards or employ certain safeguards but not doing so is that you have created a major consumer problem. Even if you are not subject to the GDPR, saying things like “we encrypt your data and never sell it” and proceeding it store data in plain text before selling it is a fast way to end up in an FTC investigation. And if you say “we’re GDPR compliant” but you are not even close, Data Protection Authorities in the EU are going to consider that when implementing penalties for your misconduct.
The best example for this group is pushing out a privacy policy on May 24 that lists all manner of protections, security, and consumer rights (because everyone else was doing it) but not actually being prepared for implementation. It’s counterintuitive to many, but it is far better to be straightforward with consumers about what you’re doing and why. The GDPR’s central value criterion, as we have said, is transparency. When you put a minimal amount of effort into your privacy regime (namely, saying you’re going to do something and never doing it) you’re introducing opacity into the process, and that’s not going to go over well.
What do you do? Other than implementing a robust privacy and security regime? In the short run, the best course is to identify the most easily implemented components of your plan and put them into practice right away. “Doing” privacy is a lot like having a punch list at your house – it can seem incredibly daunting at first, but by tackling it systematically, it will eventually get done.
No company will perfectly handle their regulatory requirements, but it isn’t about achieving perfection. Instead, it is about taking demonstrable steps towards improvement, and doing so consistently over time. In the end, even if there is a breach or an investigation, you may be spared major penalties or litigation if you put in the effort, especially if you start now. To use a cliche, don’t let the great be the enemy of the good, because that often leaves you with neither, and that is not something you want to explain to a regulator or, worse, a jury.
So if you do your own mid-year review, how would you fare?