The financial penalty for a business not complying with the EU’s new General Data Protection Regulation (GDPR) could be catastrophic. Recent research has revealed that 86% of organizations worldwide are concerned about the impact of the new EU regulations, believing they could have a negative effect on business. Indeed, 20% fear non-compliance could lead to financial ruin.
Despite the establishment of the new laws originating in Europe, legislation covers the protection of sensitive data no matter the geographical location of a breach. If a resident of the EU is involved, then GDPR rules come into play no matter where the company or its servers are located. And with a fine of €20 million or 4% of annual global turnover for serious security breaches, the impact of non-compliance, regardless of where you do business, would have serious consequences.
These fines far exceed the current maximum for similar infractions. If breaches hit levels recorded in 2015, the fines paid to the regulator would increase from £1.4bn to £122bn.
GDPR’s corrective powers and sanctions can be wielded to any commercial enterprise in breach of its rules. And while some may be happy to accept a warning before rectification, few businesses, particularly SMEs, have the resources, financial or administrative, to deal with such headaches. With penalties extending to temporary or permanent bans on data processing and the suspension of data transfers, businesses are not only in line for a financial hit but also the inability to fulfil service expectation, the possibility of having compensation claims made against them, and irreparable damage to brand reputation and consumer trust.
“Business people at meeting Entrepreneur” (CC BY 2.0) by ElectroSawHQ
The legislation’s ambition is to encourage companies to think more proactively about data protection. With GDPR overseeing the protection of that sensitive information, companies must ensure they put in place compliant security protocols. GDPR reinforces the need to consider how data is secure, and comes at a time when the chances of a breach are now more likely.
Because administrative fines have been set at a level that must dissuade those risking non-compliance, the chances of high-priced penalties very soon are likely as regulators attempt to set an example to others. Yet, as a recent study reveals, nearly half of organizations globally believe they will not meet the deadline for compliance leaving them exposed to potential fines.
The GDPR intends to harmonize data protection regulations through the European Union, making it easier for companies operating outside the EU to comply with regulations. That’s helpful to the international marketplace. But as a result, non-EU businesses must also understand their responsibility to securing sensitive data to avoid GDPR sanctions.
Businesses must therefore prepare for GDPR, putting in place the mechanisms to reinforce data security. Good practice suggests a privacy impact assessment (PIA) is helpful but GDPR makes it mandatory. Privacy could also become a board-level concern alongside policy initiatives to ensure risk of a data breach is minimized through optimized security measures. For larger organizations, a data processing officer (DPO) must also be appointed with core activities surrounding management and monitoring of data processing as well as notifying the relevant local authority of any breaches.
With GDPR’s financial penalties affecting the worldwide commercial environment, organizations need to consider their responsibilities and put in place corrective actions to meet compliance.