Scott Baker

Calculating the Costs of the GDPR

Blog Post created by Scott Baker on Dec 7, 2017

Blog post part 2 of 2

In my post yesterday, I went over some core concepts of the European Union’s (EU) General Data Protection Regulation (GDPR) that is set to go into effect on May 25, 2018. It was important to outline those concepts for you to better understand the financial impact of the penalties that GDPR article 83 specifies. And what better way to marry those two together than with a recent example that made national headlines?

I’ll admit that I am a bit “old school” and still have the newspaper physically delivered to my door each morning. While my tastes in the authoritative source of that paper may have changed over the years, my ability to shift to some type of “e-rag” media format never took hold. There is something to be said for physically turning pages that still appeals to me, but I digress.

On November 22, 2017, the USA Today newspaper ran an article in their Money section about how one of today’s most popular ride-sharing companies, Uber, kept a data breach under wraps for at least a year. That breach effected 57 million customer and driver records stolen by what they termed as “hackers.” I think “hackers” is a bit of a stretch because they essentially accessed login details to an Amazon Web Services account, controlled by Uber, that contained an archive set of the data. The stolen data included names, email addresses and phone numbers for 50 million Uber riders and 7 million Uber drivers. Additionally, it was determined that 600,000 U.S. driver’s license numbers were also compromised.

Here’s my question – what would that look like if this happened in the era of GDPR? Now this does come with a request for you to suspend disbelief as we walk through the scenario. Specifically, let us assume the following:

  1. GDPR has been in effect since November 2016.
  2. Uber is an EU-based company supporting EU citizens (none of which were considered minors, as defined by GDPR). Alternatively, we could maintain that Uber is U.S.-based and assume that all 57 million stolen records are representative of EU citizens – both of which make GDPR applicable.
  3. Consent was obtained for the personal data at the point at which it was collected.
  4. No amicable settlement with the company and data controller can be agreed to.
  5. Actual result: Uber’s revenue in 2016 was $6.5 billion (or 6.0b EUR) according to an article by Reuters.

It is important to keep in mind that GDPR endows supervisory authorities with a number of powers related to non-compliance, audits, remediations, administrative fines and steps necessary to ensure the rights of data subjects in their charge. This also means that every situation is going to be unique, and the severity of the actions or fines taken will be dependent upon the circumstances of each case. Regardless, when deciding whether or not to administer a fine, GDPR sets out (article 58 and article 83) what must be considered:

  • Nature, gravity and duration of the infringement.
  • Intentional or negligent character of the infringement.
  • Action taken by the controller or processor to mitigate the damage suffered by the subject.
  • Previous infringements levied against the organization.
  • Degree of cooperation with the authority in order to remediate the infringement and mitigate any adverse effects.
  • Categories of data affected by the infringement.
  • Manner in which the infringement becomes known to the authority.
  • Whether any corrective powers have previously been imposed.
  • Adherence to approved codes of conduct or approved certification mechanisms.
  • Any other aggravating or mitigating factor such as financial benefits gained or losses avoided, directly or indirectly from the infringement.

As you might imagine, having so many records stored on a public cloud service (even though Uber had ownership over the resources) and a loss of control resulting in credentials being posted in a public forum elevates the gravity of the incident and would certainly underscore a sense of negligence here. Additionally, the decision to keep the breach hidden from public view for over a year has a negative impact on the manner in which the authority would have found out. Not to mention, money was paid to keep the event quiet. Again, operating in that mode of suspended disbelief as the supervisory authority, this infringement is of a caliber that requires administrative penalties. So, let’s get started.

The Penalties
There are two categories of penalties that can be selected from, both of which make use of the key word “greater”:

  1. 10 million EUR or 2% of global annual turnover from the prior fiscal year – whichever is greater. If it is determined that non-compliance with GDPR was related to technical measures such as impact assessments, breach notifications and certifications, then the fine would fall into this category
  2. 20 million EUR or 4% of global annual turnover from the prior fiscal year – whichever is greater.

If it is determined that non-compliance with key provisions of the GDPR, such as non-adherence to core principles of processing personal data, infringement of the rights of the data subject, and the transfer of personal data to third countries or international organizations that do not ensure an adequate level of data protection, then the fine would fall into this category

Where would you place it – 1 or 2? The point is, no one can be sure today as each supervisory authority will treat each infringement differently based not only on their specific interpretations of GDPR, but on everything I listed above and the specifics of the EU state(s) where the infringement occurs. Let us consider both:

Situation: Uber purchased web services from a public cloud provider where (in the very least) an archive data set, containing a disproportionately large set of directly identifiable personal data on their riders and drivers, was transferred to another country that lacks the appropriate safeguards (e.g. GDPR alignment) to protect the data. Incidentally, depending on the source you choose, Uber statistics produced by expanderramblings.com on 11/21/2017 reflect that as of yesterday, there are still 50 million riders and 7 million drivers – the same number and distribution of records that were stolen. Access to web services were compromised when the credentials were posted on the publicly-accessible software development forum GetHub.com. With credentials in hand, the attackers gained access to and stole the personal data in question. Data controllers, in an attempt to mitigate the risk and exposure, were extorted around 85,000 EUR by the attackers, to which payment was made with the expectation that the data would be deleted and no mention of the event would be made public. Keep in mind that this comes on the heels of a similar breach event in September 2014 where credentials were leaked, data was stolen and the breach was kept under wraps for almost six months.

The Results: The relevant supervisory authority will now have the power to levy a fine of €240 million (4% of €6 billion), which is far greater than €20 million. While 4% is the extreme and likely reserved for the more flagrant offenses, even a 1.5% fine of €90 million could make a material difference in Uber’s strategic business goals, in addition to dealing with pressures on its market leadership regarding a tarnished brand or loss of consumer trust.

Don’t Forget the Bystanders: Article 26 of GDPR defines the term for joint controllers and service-based organizations that provide for the processing of personal data. Cloud service providers fall into this category. And, while Amazon is not providing any specific processing services and would rather provide for logically separated and hosted infrastructure to those who purchase it, they still enter the public spotlight.

Summary

The GDPR and how the supervisory authorities will approach penalties have yet to be truly tested. However, it is safe to say that it seems to follow an all-too-familiar formula – higher penalties for non-compliance often produce higher levels of compliance. Sadly, the vagueness of the certain provisions and the size of the penalties have attracted the interest of the media and flooded the market with a large degree of rhetoric.

It is clear that the concepts of GDPR and the implications to the people, processes and technologies that organizations are built on must be at the forefront of every organizational leader’s conversation. Not only because of the economic repercussions of non-compliance – up to 4% of total global annual turnover or €20 million – but also because GDPR emphasizes the importance of proper data management and governance. Let’s face it, we are becoming just as “digitized” as data is, and as a digital citizen in today’s world, I would be looking for the same rights and guarantees in cyberspace that I am afforded in my physical form. Call it GDPR, HIPAA, SOX, etc., these regulations are coming fast and from different market segments. It seems like the right approach to GDPR is ensuring that you have a robust and flexible technology foundation to operate from regardless of geography, and Hitachi Vantara just happens to have it in our Content and Data Intelligence Portfolio. More on that in subsequent posts.

Outcomes