Uber failed to disclose a data-breach for a year and now it is having to fend off public anger. Under GDPR regulation, it would be fined heavily, but frankly even the threat of GDPR compliance is trivial compared to the potential damage to its reputation.
It’s not just the regulator Uber has to worry about, but staff and customers too. And in the age of big data and AI, when the customer is king, upsetting this all important driver of revenue is just about the worse business sin a company can commit.
Uber was the subject of a data breach a year ago, affecting 57 million customers. Instead of coming clean, the company secretly paid out a $100,000 ransom to have the data deleted.
It was the worst possible reaction. James Dipple-Johnstone, the deputy commissioner of the ICO, the watch dog charged with ‘upholding information rights in the public interest’ said: “Uber’s announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics. It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers.”
But the point is, such a breach and the way it was handled is seen by many customers as a betrayal of trust.
Civic law-suits may well follow.
Uber CEO, Dara Khosrowshahi, said there are no excuses, although in fact he can at least offer an excuse; he wasn’t the CEO at the time of the breach and the Uber response, rather Travis Kalanick, the Uber founder was.
But the public reaction could be vengeful. A headline in Vox sums the problem up well. “Uber just gave its users another reason not to trust the company.”
And as Alan Price, Employment Law Director at the UK’s leading employment law consultancy, Peninsula told us: “Many Uber customers are angered by the failure to be informed and are considering boycotting the firm. This is an understandable reaction and, if the workforce feel a similar way, it could lead to an increase in staff turnover.”
That’s the real crisis facing Uber.
Under GDPR regulation coming into force on May 25th 2018 companies will have just 72 hours to report a data breach. And sure, depending on the seriousness of the breach, a failure to report in time may result in the famously heavy 4 per cent of turnover or 20 million euros fine.
But the customer is who really counts. The company that cannot be trusted with customers‘ data will not survive the era that is approaching.
GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/