$230 million dollars. That’s the expected fine for British Airways for violating data privacy laws in Europe e.g. GDPR. The final fine may turn out to be lower than this but think about all the time and resources that British Airways will need to spend to fight this in court. Worse of all, it could have been avoided.
This story starts back in 2018 when a page on the British Airways website was hacked to redirect users to a fraudulent page. It is estimated that over 380,000 credit card payments and over 500,00 people were impacted.
GDPR isn’t new, it was introduced back in 2016 but it’s only taking effect over the last year. We are now starting to see potential fines and the numbers can be staggering.
Companies are getting caught by surprise as they try to fix how they collect and process data. Besides GDPR, we now have CCPA in California which has most of the same elements. We can also expect CCPA to be copied across the rest of the US and other countries.
This a stark change in how consumers and policymakers are thinking about data privacy. Instead of just letting companies do whatever they want with data, they want limits and consequences.
Don’t get me wrong, it will likely take years before we see every company take data privacy seriously but this is a good time to think about how YOUR company will handle this.
Privacy Now, Not Later
Your data strategy will get more complicated over time which makes this the perfect time to think about how you will keep your customer’s data safe. This applies to what data you collect, how you process it and who has access to it.
Complying to GDPR and CCPA will help you lay a solid foundation in which you can build upon in the future.
Here are some example fines to help you put the cost/reward of making this investment right now:
- British Airways – $230 million
- Marriot Hotels – $110 million
- Google – $50 million
- Austrian Post – $18 million
Companies with extensive data collection will have a harder time getting their house in order but it will become a critical initiative to avoid legal fines and losing consumer trust.
Preparing Your Company and Team
Let’s talk about practicalities on how your company should go about this. I recently shared the “Data Privacy Boxes” with a client which looks like this:
All of your customer data is going to go into the box in the middle but it has different levels of importance.
First, you need to understand all the different ways in which you collect data right now. This includes customer data, payment data, anonymous data and more. Diagrams showing the inbound flow of data will be helpful here.
Level 1 data is mostly anonymous and can be accessed by almost everyone. Level 2 data is more sensitive and should be limited to “special rooms” or groups of people. Level 3 is the most sensitive and should be kept in “safes”.
Second, you need to figure out how all of this data is being stored and where. This might be in your own databases or in a third-party tool like Google Analytics, Salesforce or Mixpanel.
Third, you need to categorize the data by importance to your business. What is critical and what isn’t? What could you stop collecting right now? Simplifying your data collection will make the organization easier.
Fourth, you need to determine who will be able to access your data. Security varies but here are a few levels:
- All data should be limited company emails only
- Enforce two-factor authentication as much as possible
- Work on figuring out if data should be limited to teams, roles or individuals within the company
- Set up alarms or alerts when anything weird or unusual takes place
Fifth, you need to appoint someone in your company to take ownership of maintaining this information up to date and relevant. This could be a CDO (Chief Data Officer) or the CTO (Chief Technical Officer) but it needs to be done, otherwise, you will lose control over your data collection or access.
Privacy is changing from a legal and consumer standpoint. Your company needs to stay ahead of the curve here and avoid unnecessary litigation. Any time spent now will be paid back in the future.