Unless you’ve been living under a rock, you will know that GDPR is coming into effect on 25 May 2018. At the very least, your email inbox has probably been flooded with emails from companies asking you to review your preferences and telling you that their data handling processes are changing.
The new EU regulation will replace the Data Protection Act 1998 as law in the UK, and will govern the way individuals’ data is obtained, used and processed.
There has been much speculation about the consequences of failing to comply with GDPR. Scaremongering headlines suggest that any organisation in breach of the regulations could be fined huge amounts of money; up to 4% of their annual turnover.
In reality, it’s unlikely that very large fines will be issued, much less that they will reach into millions of euros. That’s not to say, however, that businesses can rest on their laurels when it comes to GDPR compliance. The way you handle individual data will always have the potential to cost a company both their reputation and financially.
So, what are the real ramifications of failing to comply with GDPR? What is fact and what is fiction? This blog will look at the true consequences of failing to comply with GDPR and the effect that could have on your organisation.
Under GDPR, organisations who fail to comply and/or suffer a data breach could face a fine. In the most serious cases, this fine could be up to 17 million euros, or 4% of a company’s annual turnover. This upper limit far exceeds the current maximum fine of £500,000 allowed under the Data Protection Act.
When deciding whether to impose a fine following a data breach, the ICO will consider (amongst other things) the following:
- The severity and duration of the data breach
- Whether the breach was intentional or negligent
- If the company has had a previous data breach
- The type of personal data involved in the breach
- Whether the breach affects the rights and freedoms of the individuals affected
Naturally, many organisations are concerned at the prospect of a financial penalty. In reality though, they probably shouldn’t be quite so fearful. The Information Commissioner’s Office (ICO) has said that GDPR is not about fines; it is about putting the privacy of the citizen first. In fact, the ICO says that fines will always be a last resort. What the substantial fines associated with a serious data breach do show, however, is the importance of protecting personal data in the digital age.
More than either of the above consequences, perhaps the biggest ramification of failing to comply with GDPR is the damage to your company reputation, which can sometimes be beyond repair.
How you obtain, process, share and handle data will have the potential to make or break your reputation. Think about some of those company’s who have suffered a data breach in recent years; Yahoo, Three and Uber, to name a few. Did your opinion of them change in the aftermath of the breach? Did you question their competency and/or security? If you were a customer or had a user account, did you decide to use a different company instead? Perhaps you reverted to using a local taxi firm or maybe you switched mobile phone carrier. In the long term, loss of customers due to a damaged reputation can have financial repercussions far worse than any fine. In some instances, your reputation could be impossible to recover.
Instead of taking a blasé approach to data protection regulations, take pride in the way you handle data. Spread the word throughout your organisation that GDPR compliance is a company-wide responsibility and that every team can help you achieve compliance. Arrange data protection training for any staff who are involved in data handling, or even any other teams you feel would benefit. Strive to establish yourself as a leader in the way you handle data and an example of good data protection practice. The more you invest -not just financially but in terms of time and effort- in GDPR-compliance, the more your company will reap the rewards.
Compensation for damages
Under GDPR, individuals also have the right to claim compensation for any material and/or non-material damages which result from an infringement of the regulation. The most serious data breaches could result in a high volume of claims, which can be incredibly costly. Take the Ashley Madison data breach, for example. The website for extramarital affairs fell victim to a cyberattack in 2015 which exposed the data of 36 million user accounts. Due to the sensitive nature of the website, and the potential negative impact on the personal relationships of those users whose data was exposed, a number of victims of the hack sought compensation. The site’s parent company, Avid Life Media, reached a settlement agreement of around $11.2 million to be paid to individuals affected by the breach. Far better to have water-tight data protection procedures in place than experience a breach and face paying thousands -or millions- to affected customers further down the line.
While there are a number of implications associated with failing to comply with GDPR, the above are perhaps the most significant. The overriding message from the ICO themselves, is to make sure you take the necessary steps to demonstrate compliancy, but don't be unduly worried about large financial penalties.
Core have created a useful GDPR guide and checklist to help you on the path to GDPR compliance. You can use this checklist to assess how compliant you are currently, and identify any gaps in your existing data protection procedures. You can download your free checklist below: