GDPR violations – Hefty fines or broken reputations; which is worse?
The General Data Protection Regulation is only a few short months away and organizational readiness to comply is in short supply.
This impending legislation is designed to provide rigorous data security and privacy protections and also give consumers more control over how their personal information is collected and used. Despite the looming deadline, Gartner warns that up to 50 percent of companies under the mandate will not be in full compliance by the end of 2018.
In fact, many companies have no plan for GDPR because they do not believe that it will apply to them. NTT Security found that four in ten companies globally feel this way, with 75 percent of US businesses and 61 percent of UK businesses indicating their companies would not be affected. This is a mistake.
While the regulation is targeted at protecting citizens of the European Union (EU), it actually does have global reach – any company that stores personal data on people residing in the EU will be affected. And we’re not just talking about EU citizens here either. The key term is residents.
Friends of mine, American citizens who live in Germany, are a great example of how GDPR can reach beyond EU-based businesses. EU residents for many years – they still own vacation property in Florida. Property which they rent using a relatively small US-based real estate management company. And because they are EU residents - that company, which only operates locally, is technically on the hook to comply with GDPR. And the problem is bigger than you might think. GlobeNewswire posits that 52 percent of US companies possess data on EU citizens making them legally subject to the regulations.
Monetary Consequences of Noncompliance
The regulators can start administering these protections on May 25, 2018 and the legally enforceable penalties for non-compliance, while gradually increasing in severity, can be pretty stiff. These start with a written warning for the first non-intentional violation. Violators are then subjected to regular periodic data protection audits which will shine a continuing regulatory spotlight on compliance trouble spots.
This unwanted attention will cause, at minimum, discomfort for the 50 percent who try but fail to become totally compliant and potential catastrophe for those who did nothing to prepare and thus have unfavorable positions when negotiating with regulators. How much catastrophe is possible for repeat offenders?
Monetary penalties can range from €10 million or 2% of annual global turnover (revenue) – whichever is higher - to an upper limit of €20 million or 4%. In no way a drop in the bucket.
Reputational Consequences - Much Worse?
As devastating as the monetary penalties could be, the cost in terms of broken reputation and loss of customers may be worse. And these costs could easily spill over to companies who truly do have no legal obligation to comply. Why? Because GDPR is going to raise the bar on customer expectations – much like the early digital companies did several decades ago.
Think back to Amazon, Yahoo, eBay and a few New York City banks (the first to provide internet banking) as examples. Once they introduced online capabilities such as internet search, shopping, and finance – it didn’t take long before every competitor had to follow suit or risk losing their customer base.
With GDPR, as consumers start to see what compliance actually means – and by extension what non-compliance looks like – we believe that they will start expecting ALL companies they do business with to comply regardless of whether those companies are legally obligated to do so or not. And, as in times past, these customers will “vote with their feet” and gravitate away from GDPR laggards towards those who provide the best data protections and consumer controls.
Even if the spread of expectations past the legal reach of GDPR takes some time, there is plenty of evidence that consumers are ready to exercise their rights under the mandate wherever and whenever they can. A recent SAS poll of UK adults highlighted just how ready people are to take control of their personal data. Not only do almost half of the respondents plan to exercise these rights, but they are clearly educated on exactly what these rights will be.
Following is some of what they told SAS:
- 64 percent welcomed ‘the right to access’ (e.g., get a copy of personal data held about them).
- 62 percent welcomed ‘the right to erasure’ (e.g., erase personal data from certain systems).
- 59 percent welcomed ‘the right to rectification’ (e.g., if personal data is inaccurate or incomplete).
- 56 percent welcomed ‘the right to object’ (e.g., using data for marketing and profiling).
- 54 percent welcomed ‘the right to restrict processing’ (e.g., if they contest accuracy of data).
- 43 percent welcomed ‘rights in relation to automated decision making and profiling’ (e.g., the right to seek human intervention following an automated decision they disagree with).
In terms of data security breaches, a significant component of GDPR, companies are already worried about reputational consequences. In the Risk Value report referenced earlier, NTT Security found that 57 percent of companies believe they are currently at risk for a data security breach and 55 percent think that consumer confidence would be the most significant consequence. Considering that confidence equals trust equals satisfaction and reputation, companies unprepared for GDPR should be concerned.