You probably heard about the Equifax data breach that has compromised the personal data of 143 million customers. Hackers stole everything from names, addresses, dates of birth and, in some cases, credit card information. Although the potential consequences for Equifax's customers could resonate for years, if the breach had occurred after the EU General Data Protection Regulation (GDPR) comes into effect next May the difficulties facing the credit monitoring firm certainly would have been more severe.
GDPR: Not Just a European Concern
Due to come into force on May 25, GDPR will overhaul how businesses process and handle data. The new laws will apply to every organization that processes information within the EU and, here's the kicker, to every business that sells goods or services to European citizens.
In the weeks following the Equifax breach, we learned that the company also holds data for around 44 million British customers. This means if the breach had occurred a year later, the company would have been subject to the stricter laws that will soon regulate data protection and security breaches under GDPR.
Equifax: A Wake-Up Call for America?
One of the key parts of GDPR's stricter approach to data governance is that businesses must report details of any security breach affecting people's rights and freedoms within 72 hours. Fines for non-compliance will be proportional to each infringement, but they could reach up to roughly $23.5 million or 4% of global annual turnover for bigger businesses.
Equifax first discovered hackers had targeted customer data on July 29, but waited five weeks to publicly disclose the cyberattack. If GDPR were in effect, the company would have been required to take a more proactive approach in notifying affected customers. Moreover, its failure to do so would have resulted in a significant proportion of its $3.1 billion revenue going toward paying off fines.
Equifax is far from the first company to take a laissez-faire approach to announcing data breaches. Last year, Yahoo, for example, only admitted to a hack that happened three years previously and had affected more than one billion user accounts. However, after GDPR, every U.S. company that does business with European-based customers will need to inform individuals directly affected by personal data breaches without undue delay.
The Time Is Now
Writing for Forbes, Dan Wellers, the Global Lead for Digital Futures at SAP Marketing Strategy, said, "The accepted wisdom in the cybersecurity field today is that there are two types of companies in the world: those that know they've been hacked, and those that don't."
In an age when security attacks like Heartbleed and WannaCry make headlines across the world, no enterprise is immune from cyber threats. For this reason, companies that are seen to take data protection seriously can forge a competitive advantage over those that do not.
Good data security and compliance breeds trust in customers, strengthening relationships, retention rates and, ultimately, profits. By showing businesses how they can take a fresh approach to acquiring, managing, and retaining personal data, GDPR can help organizations meet the rising challenge of protecting data.
GDPR is likely to create a new international standard for safeguarding data and a framework that all companies would benefit from applying. Using the new regulations as inspiration, now is a great time for your business to take a closer at how it protects data and whether vendors such as those providing your contact center services are putting your company at risk.
Final Thoughts
At this point in time, it looks as though GDPR is going to have implications that reach far beyond Europe's borders. The Equifax scandal highlights the importance of cross-border data security, and the role of vendors in applying this means U.S.-based contact centers will need to take GDPR into consideration. At the same time, the increasing importance of integrating security and privacy into a business strategy means GDPR can even provide an effective framework for U.S.-based companies that don't operate in European markets.