With the recent approval Jamaican Data Protection Bill it is becoming increasingly important that local companies as well as those across the wider Caribbean region get ahead of Data Privacy Regulations and begin to act now implementing Privacy best practices. We are not too far from the day we see the first local or regional privacy violation resulting in sanctions against any local entity. This could be because of a company not keeping pace with the changes in business practices/processes of the imminent Digital Economy accelerated by the Novel Corona Virus (COVID-19). Privacy is not just an EU regulation anymore, privacy is here and it's here to stay.
Now that our Data Protection Bill has officially become law lets look at some of the most recent privacy violations globally. In addition to the well-known incidents of Facebook and Google being fined for General Data Protection Regulation (GDPR) violations other regulators are becoming more active and companies are feeling their wrath. Privacy legislators have now raised maximum fines to €20m (£17.5m) or 4% of global turnover- whichever is the greater. Listed below are some legislators and some of their highest fines.
General Data Protection Regulation (GDPR: European Union)
Bounty UK was fined $400,000 pounds for illegally sharing the personal information of more than 14 million people. The company collects personal data from its website, mobile apps, merchandise pack claim cards and new mothers at hospitals bedsides but failed to fully disclose that this information was being passed on to third parties for direct marketing purposes.
Marriott is being fined for $99M pounds for a data breach related to a cyber-attack which exposed a range of personal data contained in approximately 339 million records of hotel guests, around 7 million were UK residents. The suspected origin of the vulnerability was a 2014 compromise of the systems of the Starwood hotels group, which Marriott acquired in 2016. Marriott reported the incident in November 2018, but the ICO found that Marriott had failed to undertake enough due diligence when it bought Starwood and did not sufficiently secure its systems.
Your Money Rights was fined $350,000 after making 146 million illegal calls. The unsolicited calls concerned with Payment Protection Insurance (PPI) claims that caused numerous recipients to complain of feeling harassed and threatened. Companies can only make automated marketing calls to people if they receive specific consent, which Your Money Rights failed to obtain.
Personal Information Protection and Electronic Documents ACT (PIPEDA: Canada)
There is a $100,000 Canadian fine if companies are found to know about existing vulnerabilities and does not act. The Office of the Privacy Commissioner (OPC) are currently looking into an incident where six million Capital One Canadian customers had their personal information compromised via a data hack.
Florida Information Protection Act (FIPA: Florida, US)
Office for Civil Right (OCR) fined Florida Physicians Group $500,000 USD for HIPAA failures, they were sharing protected health information with an unknown vendor who was providing medical billing services for them.
In addition to the hefty regulatory fines’ companies are at risk to lose more than just money. Reputational damage can also be a huge resultant of not having a privacy program, news travels fast and negative press can cause irreparable damage to the organisation. Furthermore, other damaging consequences include: Operational Downtime, Legal Action and Loss of Sensitive Data.
Where do we go from here?
Have you had a Privacy Impact Assessment done for your organization to determine your Privacy Risk Profile? Do you have Privacy policies and procedures that are incorporated and aligned to the different jurisdictions in which your company owns and operates? If the answer to any of the above is no, then it is time to get cracking privacy regulation is here and organizations that remain non-compliant will suffer the consequences similar to those outlined above and even more. So let's talk about your Privacy Framework Development and how it aligns to guidelines stipulated by Data Commissioners in your respective jurisdiction. If you found this content meaningful please share with your colleagues or your organizations Data Privacy Officer.
Ashdane Beckford is a Privacy and Information Security Consultant at Symptai Consulting limited. He is currently completing his B.Sc. in Computing majoring in Information Technology and Minoring in Information Systems at the University of Technology Jamaica (UTECH). He is a former member of the Utech rugby team and has a demonstrated passion for information technology. When he isn’t glued to a computer screen, he spends time reading finance books and talking about current affairs.