Why Do Companies Get Fined?

Written By Scott Schlimmer

We’ve all heard the about the big privacy fines that companies have faced. $5 million for Facebook. $575 million for Equifax. $50 million for Google.

But what do these companies actually do to get fined? And how can such fines be prevented?

What is the reason for privacy fines?

Privacy fines typically come about when an organization does not properly protect people’s personal information. The most common way is a leak of personal identifiable information (PII) that should have been protected.

This can happen one of two ways.

The first way is when you don’t know that you’re holding PII, or where PII is stored in your systems. If PII is just floating around in your systems, it can easily be stolen in a breach or leaked by an employee—either by mistake or on purpose by a malicious insider. And a breach or a leak of PII could mean a major fine for your organization.

The second way is when you know where the PII is in your systems, but you don’t protect it well enough. The bigger the store of PII, the larger the potential fine if it is lost and the better it will need to be protected.

How do you prevent fines?

If the first way to get fined is not knowing what PII you are holding and/or where it is stored, then a key measure to prevent fines is to inventory your PII. Catalog the PII you are aware of, and then search your systems for PII that you might not be aware. Cloud buckets are notorious for having PII lurking in them.

For the second way to get fined—not protecting PII well enough—we recommend using something called a Data Protection Impact Assessment (DPIA). A DPIA is going to help you identify the privacy risk for each unit you analyze, perhaps a cloud bucket, an on-premises server, or a website. Each should be analyzed based on the likelihood and the severity of any impact on the privacy of individuals, and the resulting possibility of fine for your organization. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.

A DPIA is going to describe the nature, scope, context, and purpose of the processing, assess the necessity of the information and proportionality any compliance measures, identify and assess risks to individuals and fines, and identify measures to mitigate those risks.

From there, you can match data protection to the actual risk, ensuring your strongest defenses are matched with the systems that most need protection.

Further, doing a DPIA shows regulators or anyone else that you’re taking privacy seriously, which will help demonstrate due diligence in the unfortunate case where there is a PII breach or leak. Regulators will look upon you more favorably if you have done a DPIA.

Need some help? Our Privacy Experts can increase your Zen. Read about our ZenPrivacy Impact Assessment or contact us today for a free consultation.

Scott Schlimmer http://ZenPrivata.com
Previous

What is the Impact of Privacy Breaches?
Next

US National Privacy Law Introduced in Congress