Can Your Company Pay a 20 Million Euro Fine?

Could your company afford to pay a 20 million Euro fine or to lose 4% of your annual global turnover?

It’s a question you should be asking because it’s the penalty that your company will face if you fail to gain your customers’ consent to process their data or deliberately breach their privacy under the EU’s General Data Protection Regulation (GDPR) which comes into effect within weeks. All companies in the EU regardless of size or sector and all those that deal with data from EU citizens wherever those companies are in the world must be compliant with GDPR by May 25 this year.

Less serious violations of the GDPR such as not having records in order or failing to notify supervisory authorities of a data breach within 72 hours of the incident, will incur fines of 2% of the offending company’s global turnover.

Even if your company could shrug off the impact of such fines, the news that it didn’t protect customers’ data could still cause irreparable damage to your reputation and affect your future business.

Then there’s the chance your company may have to compensate your customers. That’s because the purpose of the GDPR is to put individuals in control of their personal data and to empower them to choose how (and if) businesses use their data, so they will have increased rights to legal recourse and even claim compensation.

For these reasons, it’s critical to do everything possible to prepare for the GDPR and to ensure your company is fully compliant by May 25.

Worryingly, many companies are unprepared for the deadline. For example, security chiefs at FTSE 350 and Fortune 500 companies revealed that over half are not ready for the new regulations, according to a survey conducted by international law firm Paul Hastings.[1] Likewise, more than 90% of the UK’s small businesses won’t be compliant come May 25, according to a study carried out by the National Federation of Self Employed & Small Businesses (FSB).[2]

It seems GDPR unpreparedness is a worldwide condition, according to an article entitled ‘GDPR: the numbers don’t lie – the world isn’t ready’.[3] In a round-up of global markets, it revealed Computerwoche, a German IT publication, found only 2% of German companies are prepared; The Independent reported that Irish firms said meeting GDPR compliance would be ‘challenging’ or ‘extremely challenging’ and Le Monde Informatique reported less than 10% of French companies were GDPR-compliant.

Unfortunately, ignorance is no defence in law. If your company is not yet compliant and you know it can’t afford to pay the massive fines for data breaches and their fallout, it’s time to put your skates on—time is running out.

The Steps You Must Take

Analyse the data your company holds and determine where it is, whether you need it, and who in the company has access to it. Find out your core sources of data. You need to know how your company manages the risk of duplicating data, inaccuracies with data, and the failure to delete data that is outdated.

Look at the data you share with third parties—clients, suppliers, partners, and regulators. With GDPR, you must understand and manage the risk of transferring that data. More importantly, you are responsible for ensuring that data is protected by any third party.

Let your customers or clients know the lengths to which your company goes to ensure their personal data is protected. It could be the thing that sets your company apart from your competitors and the reason customers or clients choose you so is well worth doing.

Ensure that your company is not using clients’ personal data for anything more than what they agreed to. If they agreed to sign up for your newsletter, that’s not permission to sell their details to a third party, for example.

Let clients or customers know the ways you use their data. Explain why you need it and with whom you intend to share it. Be aware that your customers or clients may withdraw their consent whenever they like. Make sure you acknowledge their requests for removal from your data bank with an email.

Make every effort possible to protect the data you hold about your clients or customers from organisational and technical risks. You need to ensure everyone within your company is aware of the external forces that could disrupt your business and that you have a strategy to deal with it.

If your organisation deals with large amounts of client data, consider appointing a Data Protection Officer. This person will liaise with regulators, maintain the right level of privacy awareness within your organisation and monitor your company’s GDPR-compliance.

[1] Fortune and FTSE Companies Underestimate GDPR Compliance by May 2018, New Research Shows, Paul Hastings LLP [US], https://www.paulhastings.com, December 15, 2017

[2] ‘Ninety per cent of small firms still not prepared for new data regulation, new research shows, National Federation of Self Employed & Small Businesses Limited, https://www.fsb.org.uk, February 26, 2018

[3] ‘GDPR: the numbers don’t lie – the world isn’t ready’, https://gdpr.report, January 30, 2018