The Cost for Companies Worldwide
The Cost for Companies Worldwide
By now most businesses have heard about the General Data Protection Regulation and related GDPR fines. The fines are a drastic change from previous data breach consequences. Under the prior legislation, the Data Protection Directive, companies could be fined up to 250,000 Euros. That’s not small by any means, but it doesn’t even touch the consequences of GDPR.
GDPR states that companies can be fined up to 4% of worldwide annual revenue or 20 million Euros – whichever is greater. In addition to the increase in financial ramifications, GDPR fines are no longer limited to one per breach. Now, they can prosecute every single data breach.
While the process of investigating a data breach and imposing fines takes time, big companies are already facing big penalties. For instance, tech giant Facebook is currently under investigation for a data breach in September 2018 that left 30 million records exposed, many of which belonged to EU citizens. If the findings show that Facebook did not take the necessary precautions to protect customer data or did not report the incident quickly enough, they could be required to pay 4% of their annual revenue – in this case that amounts to approximately $1.63 billion.
Again, it takes time for the investigations to conclude, but the Information Commissioner’s Office (ICO) in the UK has routinely imposed fines under the Data Protection Act, the GDPR precursor, for many years. Under this law Facebook Ireland was fined 500,000 Euros. Uber was fined 385,000 Euros for a data breach in the UK. And, Equifax was fined 500,000 Euros. Clearly, the mechanisms are in place for investigating breaches and levying fines.
Avoiding GDPR Fines
The far-too-simplistic answer to how one avoids GDPR fines is to comply with the regulation. Compliance means three things: evaluating and updating data protection processes and mechanisms, doing business with the consumer’s best interest at heart, and responding swiftly in the event of an attack.
Working with your legal team, a GDPR consultant or your Data Protection Officer, address the following for your business:
- At what points in our operations do we collect data?
- Is there data that we request that we don’t need?
- What do we do with the data?
- Is the data stored securely?
- Is the data processed using current security standards?
- Do we need to keep this data? Do we have a process for data deletion?
- Have we documented all of our data handling processes?
- How quickly can we respond to a data attack?
- How will we document and track steps taken to mitigate data breaches?
- Do we have opt-out mechanisms in place?
- Do we know which third-parties have access to our customer data and what their data handling processes are?
- Are our privacy policies up-to-date and easily accessible to customers?
It’s also important to note that part of the regulatory process is to examine the intent with which a company has acted. So when businesses make a good faith effort to employ safe data handling practices, and act in a forthright way once an attack occurs, they will likely face lower fines. While GDPR fines can be frightening, the goal of the regulation is not to make businesses pay; rather, it’s to keep EU citizen data safe.