The Bite Behind the Bark: Enforcement Power of GDPR

There’s an old saying: Their bark is worse than their bite. However, this is not the case with the penalties of non-compliance when it comes to the General Data Protection Regulation (GDPR). With the enforcement date of the GDPR having passed on May 25, 2018, any company not in compliance could be in for a very nasty shock. And remember, GDPR is not limited to European Union (EU) businesses. Any entities processing the personal data of EU citizens have to comply. This impacts mostly any website today as well. So, what is personal data in the GDPR world? It’s things like tracking IP addresses, geographic data, and basically any information relating to an identified or identifiable person.
 
Ignorance does not equal compliance and GDPR is sure to make its “bite” felt for non-compliance. GDPR even recommends that businesses employ a privacy officer, as there is no more hiding behind a vendor or consultancy. This goes for small- and medium-size businesses (SMBs) as well as large global organizations. The penalties of non-compliance and the new power given to data protection authorities makes enforcement of these regulations the key to ensuring these rules get followed.
 
The bark heard around the world
The scope of GDPR positions the EU as a leader in data protection, so don’t be surprised if other countries follow suit. Under GDPR, should a company of any size fall short of compliance, financial penalties abound…which is the bite that could bring an SMB to its knees.
 
If you process sensitive data on a large scale (like some social media platforms for example), you might have to appoint a data protection officer. Some large organizations are forming huge cross-functional teams to support GDPR compliance. This might include leaders from areas like product/services, UX/UI, policy, and legal. Imagine the financial impact of any organization trying to pull resources to dedicate to this one mandate? Any way you slice it, businesses collecting consumer information through online tracking, which is a given nowadays, will need to comply – which impacts sea to shining sea. 
 
The data breach bite
With no lack of data breaches on the horizon, a big GDPR focus is around security and data breach. The EU is doing what the U.S. hasn’t been able to do yet – set a universal standard for breach disclosures, which include:
 
  • Reporting any security incident involving personal data with 72 hours. That’s right – not next month or within the year like some brands have in the past.
  • Come clean early on. So, if a data breach has a high risk of adversely affecting individuals’ rights and freedoms, then it’s expected a business should report without “undue delay”.

Backed by fines that are sure to hurt, GDPR unleashes the fury on sloppy security which could not only cost reputation harm, but really hurt the bottom line, or perhaps bottom out an SME altogether. Some factors that play into substantial fines might be:
 
  • How many were impacted, and the extent of the damage inflicted?
  • Was the damage intentional or just negligence?
  • Did the company take steps to stop the damage?
  • What steps have been taken by the organization, either technical or personnel-wise to address the issue?
  • Is this a first-time offense?
  • What is the cooperation level of the offending organization?
  • What was the data that was compromised?
  • Was this self-reported?

If your answers to these questions find that the issue arose from technical problems or lack of reporting, fines can reach up to 2% of revenue from the prior year. However, if the issue is found to be a general lack of compliance with key parts of the GDPR regulation, the fines rise to 4% of revenue from the prior year.

So, what are some of the issues that could lead to the higher fines? Sending personal data to “third countries” or international organizations that don’t provide proper data protection, or not adhering to the principles of processing personal data can lead to these larger fines. As you can imagine, some of these companies have annual revenues in the tens of billions, so the fines are substantial. Add to that the image blow a business takes when found to have been breached, and the revenue hit becomes even larger.

For over a year now, the GDPR’s bark has certainly been heard. And now that the compliance date has come and gone, companies will soon find out that the bite for non-compliance can really hurt. What can you do now?
Visit the EventTracker GDPR compliance page and download the solution brief to learn more about what needs to be done and how to protect your company.

Also, check out this webcast, Five Things You Should Know about GDPR Compliance, hosted by EventTracker’s CEO A.N. Ananth and the CEO of Fifth Step and GDPR author, Darren Wray.
 
References:
GDPREU.org
TechCrunch