Issue link: https://cp.revolio.com/i/964464
16 | THE DATA CENTER JOURNAL www.datacenterjournal.com T urning our focus to the technology industry, sev- eral Internet-based social websites and applications have international influence and presence through international platform expansion and marketing ef- forts. One recent example is Facebook and its acquisition of the messaging application WhatsApp. WhatsApp an- nounced in August 2016 that it would share user data with Facebook to im- prove its service, as well as to provide statistics and patterns to the social- media giant. Facebook has increased its marketing efforts in years past with suggestion capabilities that use collect- ed data to inform users about products or services that may be of interest to them. Since the acquisition, What- sApp has expanded its application reach internationally to Brazil, India and Europe, putting it at the forefront of data-protection regulations. As of March 15, 2018, WhatsApp announced it will no longer share user data with Facebook until it can assure U.K. users that it's compliant with the GDPR. e GDPR places Facebook's acquired WhatsApp partnership under scope for not only its presence in the United Kingdom, but also its monitor- ing of EU data subjects and attempts to offer them goods or services on the basis of that collected data. Facebook's practices most likely include the use of automated individual decision making against EU data subjects, requiring a lawful basis such as explicit consent under the GDPR. Processing is broadly defined in the regulation to include most actions that can be performed with data and can specifically refer to collection and storage—something Facebook would be doing in this case. e website must therefore have pro- cesses in place to honor nine distinct rights awarded to EU data subjects and be able to operate under the guid- ing privacy principles defined in the GDPR. e regulation further dictates appropriate security efforts regarding protection of personal data, estab- lishes breach-reporting requirements and increases the risk associated with vendors processing this data. ese expansive requirements will make the marketing process much more com- plex for these two tech companies. Smaller applications and web- based social sites may not be consider- ing the new regulations as seriously as they should be, but past enforcement actions point to enforcement risk regardless. e GDPR says noncom- pliant companies posing a risk to EU citizens and their privacy can be fined up to $20 million or 4% of their global turnover for the previous fiscal year, whichever is greatest. On top of this penalty, EU individuals also have the ability and right to receive compensa- tion from the controller or processor for the damage suffered. A company like Facebook, which had a net revenue of about $18 billion in 2017, could face a fine of $720 mil- lion dollars. Note that this fine would be per violation. It's reasonable to as- sume that larger repercussions would result in this hypothetical case, since case law suggests similar types of viola- tions don't stand alone but typically occur with others. Related companies must imme- diately take several steps to mitigate their exposure to risk. A solid start is understanding the GDPR's applicabil- ity to various parts of the business as well as understanding each unit's risk profile to establish priorities for the initiative. Once they've identified risk and priorities, organizations must identify and establish their lawful basis for processing this data. Every industry has its own unique risk and operational challenges, and every business has its own maturity relative to industry peers. Using the trusted counsel of a compliance firm helps to quickly identify both industry and organizational risks that oen go overlooked. A risk-management and compliance consulting firm can help organizations quickly identify risk, formulate a plan to mitigate this risk and set up monitoring programs to maintain valuable compliance records. Some have suggested the GDPR will set a global precedent for data privacy and security regulations. Brazil and China have both showed interest in forming similar requirements to protect the privacy of their citizens' personal information from businesses storing and transferring data across borders. To adequately prepare for the GDPR and similar regulations that are likely to arrive, businesses must begin educating themselves on these regula- tions and decide how they'll tackle the requirements. Applicable processes and procedures can obviously help minimize exposure to fines, but they also provide an opportunity to reas- sure customers and, in return, earn their trust. n About the Authors: Greg Sparrow is Senior Vice President & General Manager at CompliancePoint. Greg has over 17 years' experience in privacy, information security and risk management. He has worked on both U.S.-based and international projects and was responsible for development and implementation of security programs protecting billions of dollars in annual transactions. Greg's most recent work includes security and certifications for Samsung Pay, enterprise risk management for multiple NFL and MLB sports teams, and critical-infrastructure security at some of the nation's largest transit hubs. Greg holds multiple IT and security certifications covering the health-care industry, payment-card industry and federal banking standards.