The General Data Protection Regulation (GDPR) went through four years of preparation and debate before being passed by the EU parliament last year. Strict GDPR requirements
lay out how companies should process, store, and secure the personal data of EU citizens. The enforcement date is May 25, 2018, and any company not in compliance by that date could be in for a very nasty shock indeed.
The short answer to our question can be found in paragraph 5 of Article 83
, which dictates that infringements can lead to fines of up to 20 million euros ($23.6 million at the time of writing) or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Little wonder then, that 92% of US multinationals surveyed by PwC
named GDPR as a top priority, and 77% plan to spend $1 million or more on compliance.
Sky high fines?
The high ceiling on fines that will come in with GDPR will give data regulators much greater punitive power, in theory. In practice, we simply don’t know how fines will be levied.
Maximum fines are rare, but there’s currently a great deal of variance from country to country. For example, in the U.K. the Information Commissioner’s Office can issue fines up to 500,000 GBP, but the highest fine to date was 400,000 GBP ($532,158) for telecoms company TalkTalk, after a major data breach that exposed the names, addresses, dates of birth, phone numbers and email addresses of more than 150,000 customers, and bank account details and sort codes for thousands.
There’s some debate about whether high fines will be levied, and in what circumstances, but it’s possible that some data regulators will want to send a clear message by making an example of a company for non-compliance. Apparently, the European Data Protection Board (EDPB) will offer guidance on fines, but that guidance is not yet available and the first few cases are liable to set a precedent.
The risk of GDPR fines isn’t just the fine amount, but also the fact that your company name will appear in headlines associated with a lack of security. The lasting damage to your brand is hard to quantify, but it seems likely that people concerned about privacy will avoid the brand if an association is made. In the aftermath of TalkTalk’s breach, for example, the company lost more than 100,000 customers.
A severe fine for non-compliance will generate a lot of news stories and any potential customer researching their options may find those stories and be influenced by them for years to come. The way companies collect and use data is coming under increasing scrutiny as privacy concerns among consumers grow, and that trend is only going to increase. Why take the risk?
With uncertainty about the level of fines that will be imposed, businesses need to invest some time and resources into researching GDPR. When Vanson Bourne surveyed 1,600 organizations, it found that 37% of respondents don’t know whether their organization needs to comply with GDPR, while 28% believe they don’t need to comply at all. Ignorance will not provide any protection from fines.
Compliance is a smart move, not just to avoid fines, but to safeguard your customer data. For the most part, the requirements are formalizing a set of principles that you should already be applying. Assess your privacy, hire or appoint a data protection officer, create a data breach plan that includes clear notification within 72 hours, and make sure you know where your data is at all times. Preparing for GDPR compliance is hardly an insurmountable task.
If this prompts companies to review the data they collect and assess whether they need to store it, then that’s a good thing. Too many companies have a data hoarding attitude and it creates unnecessary risk. There’s also no excuse for neglecting to create clear consent forms and privacy policies. Ultimately, companies should not be treating data protection as optional.
We can’t say for sure what non-compliance with GDPR will cost you, but there’s a good chance it will prove more expensive than compliance, and that’s the point.