New year is traditionally the time to change our ways. As we reflect back on the year just gone, perhaps we see that an inch has gone on to the waistline, or we’re more out of breath as we run for the train, or the savings have diminished even further. All good prompts to change our ways and come up with new life strategies?
Reflecting back on 2014 and what the year meant for privacy and security in business, we see some monumental events. The European Parliament finally voted through the proposed General Data Protection Regulation, bringing closer the world of mega privacy and security fines. The EU Data Retention Directive was overturned by the Court of Justice of the European Union (CJEU), creating huge dilemmas for telecos and internet service providers, and the need for emergency action by the Government to stabilise the law (see the Data Retention and Investigatory Powers Act). Established ideas about global web search, data controllership and establishment were turned on their head by the decision of the European courts in the Google Spain case. The lawfulness of the EU Safe Harbour decision that underpins much of the transatlantic traffic of data from Europe to the US, including Facebook’s, was referred to the CJEU for judgment by the Irish High Court. Russia accelerated the process of isolation of its data. Over Christmas a mini cyber cold war, if not a mini cyber war, seemed to unfold in real time before our eyes, as the US and North Korea locked horns over the Sony hack.
It was not just the media sector that was badly affected – the retail sector and the financial services industry were both badly shaken by a relentless run of cyber security breaches. One hack cost a retail chief executive his job. The security of cloud storage was put under a glaring spotlight, as celebrity photos were released to the world.
For business, all of these stories are connected, but the highest denominator – the one that really matters – is that they tell us that we are living through a period of rapid and disruptive change in our digital worlds. Nothing can be taken for granted. Established norms cannot be relied on.
Breaking this down, these stories convey these key messages, from which we can find many business impacts:
- Activism. At the heart of the legal environment for data protection and security there is a new sense of activism, consisting of citizen activists, regulator activists, judicial activists and political activists. The activists are driving law reform (legislative, case law and regulatory strategies). Sometimes they can combine to achieve unprecedented outcomes. The decision in the Google Spain case is one where the citizen activist combined with the regulator activist to put the future of global web search in the hands of an activist court. Clearly, if activists can change how a technology giant functions, every business can be changed.
- Threats. The cyber security threat, which many businesses have shrugged off as a scare story, is real and the fact that very significant damage can be caused – in business disruption, brand damage and legal damage – cannot be denied, not even by the most blinkered optimist.
- Globalisation. While the digital and cyber worlds and the technologies that underpin them reject the idea of national boundaries, the real world is seeking to put up boundaries, or is seeking to extend current boundaries into foreign territories. There seems to be a global regulatory arms race underway, as particular nations, areas of combined regional interests and treaty zones seek to assert their behavioural, cultural and political norms and standards over others. Simply put, businesses may need to chart new global courses.
Businesses that thrive and succeed in times of rapid and disruptive change are ones that are honest with themselves about the challenges. Corporate history is littered with examples of once-dominant businesses that find themselves suddenly obsolete and the case studies already include ones where the trigger to obsolescence was a digital shift. Blockbuster and Kodak spring to mind.
The disruptive changes that we are seeing in the fields of data protection and cyber security will certainly result in the ruin of some businesses. Some will collapse under the weight of security failure. Some will fold because their models cannot sustain the cost of mounting regulatory burdens. Some will surely go the way of News of the World, if caught acting in a seriously illegal manner. Many more businesses will be forced to find new revenue models, as the legal environment and outside pressures cause a shift in attitudes to advertising, profiling and tracking.
There will be big winners too, of course, winners united by a common thread. Rather than burying their heads in the sand, they will have faced up to the challenges and built strategies for success. Strategy is at the heart of everything. Businesses need to develop new approaches to the new realities of data protection and cyber security. Reviewing and adjusting strategies is the single most important new year’s resolution that any business can adopt to ensure continuing success on data protection and cyber security. A simple test would be to ask these questions:
- Have we got a strategy for data protection and cyber security?
- Could we describe the strategy to a regulator, customer, shareholder or reporter?
- Are we sure that the strategy is still fit for purpose?
Only a person who can honestly answer ‘yes’ to all these questions would conclude that a strategy review is unnecessary in 2015. However, that person, while honest, is probably still an optimist.
Stewart Room is global head of data protection and cyber security at PwC Legal