Why companies should prioritize data privacy.

A

s Data subjects become more privacy-centric, it can only be expected that corporations whose core belief is that the customer is always right and cash is king should reciprocate their customers’ needs. Evidently there has been a shift in customer behaviour as users have opted for privacy focused applications like Signal, Telegram and DuckDuckGo. DuckDuckGo is a privacy focused search engine that neither tracks users’ searches nor shares users’ personal data with third parties.

Companies must make a shift towards bridging the gap between organizational strategy and personal data protection. Some of the companies that have met the wrath of privacy fines for failing to make this shift include Walmart, British Airways, Marriott International Inc. and Google.

• Walmart is settling a class action suit of $10M with its Illinois employees having violated the Illinois Biometric Information Privacy Act after its employees claimed that the company used their biometric data from its palm scanning device without their consent.
• British Airways was fined 20M Pounds for failing to protect the personal and financial details of more than 400,000 of its employees.
• The French Data Privacy regulator fined Google 50M Euros because it failed to provide enough information to users about its data consent policies and did not give them enough control over how their personal data is processed.
• Marriott International Inc. was fined 18.4M Pounds for failing to keep millions of customer’s personal data secure.

The peculiarity of the Marriott case should raise alarms to corporations conducting Mergers & Acquisitions. In 2014, cyber attackers hacked into Starwood Hotel’s system which resulted in a privacy breach of several of its guests. The attack went undetected until 2018 after being acquired by Marriott in 2016. This case should stand as a reminder for professionals conducting due diligence to take into account data privacy standards of companies that they intend to merge with or acquire.

Under the GDPR, fines for non-compliance with the regulation are up to 20M Euros or 4% of the entity’s annual global turnover, whichever is greater. The far reaching hand of the GDPR has informed laws and regulations across the globe hence most fines fall within that range. Granted, the myriad and fragmented Data Protection Laws across the globe have created a complex data privacy compliance framework especially for multinationals. . However, just as companies have managed to formulate thriving businesses models across borders, they must equally design data privacy models that are equally befitting.

According to the Implementation and Compliance Guide by the IT Governance Privacy Team, “the prerequisites for implementing a complex compliance framework are knowledge and competence”. Compliance with the diverse laws may be fostered by engaging dedicated Data Protection Officers/Managers in the different countries to keep track of regulations and enhance compliance. More importantly, prioritizing and leveraging on personal data privacy will foster a data privacy culture making it easier to comply with laws and mitigating personal data breach risks.

Yuval Noah Harari postulates that the 21st Century is ushering in a new religion, Dataism, which “declares that the universe consists of data flows, and the value of any processing phenomenon or entity is determined by its contribution to data processing”. He suggests that the new era will be woven by the Internet Of All Things as everything and anything will be plugged into the new system. Therefore, as we journey along, it is fundamentally crucial that we all cultivate a culture that fosters protection of personal data because, contrary to popular belief, the rise of data privacy is not meant to curtail innovation but rather to foster responsible use of technology.

The author is a Lawyer, Data Privacy Practitioner, Member of the IAPP and CO-founder of ANJ Data Management Solutions (A) Ltd.