With the General Data Protection Regulation (GDPR) less than a year away, any company that does business in the EU will soon need to ensure that they’re following regulations on secure customer information, obtaining consent for personal data usage, and much more.
Shockingly, many companies are failing to prepare, which will have severe repercussions when it comes to consequences for not adequately protecting consumer data privacy.
What if your data becomes compromised through a data breach? What are the ramifications for not having sufficient measures in place to prevent that breach, and how will your company be affected under the GDPR?
The GDPR has Heavy Fines
If your company isn’t fully compliant with the new regulations on data security and consumer personal data, expect to lose a lot of money just from GDPR fines. Fines are tiered based on the severity of non-compliance and the negligence or inaction from a company, which is often the cause of data breaches.
For instance, if a data breach poses a high risk to the rights and freedoms of an individual, and a company does not have the processes in place to notify consumers within 72 hours, they’re subject to a fine of 10 million euros or 2 percent of annual global turnover—whichever is greater.
And that’s the smallest fine. For severe faults like not obtaining customer consent for data processing or violating the requirements of Privacy by Design, the fine will be raised significantly to 20 million euros or 4 percent of annual global turnover.
For many small or mid-sized businesses, either one of these fines could be devastating. And these fines aren’t levied against just the data controllers, either. Companies that act as data processors will still be fined.
PR and Legal Nightmare
Given the GDPR’s 72-hour timeframe for reporting a data breach, there isn’t much time for a company to fully assess the damage of a breach before reporting it a supervisory authority and to data subjects if the breach is high-risk.
Breaches become public very quickly, and with that comes a potential PR catastrophe. Many companies have completely bungled public data breaches in the past. Their mistakes illustrate the importance of a company having a solid PR plan for a data breach. In these cases, hiding the fact a data breach occurred is the worst possible plan. Transparency is a necessity.
In the wake of the GDPR, companies should also prepare for an uptick in legal issues from European consumers, not just from data breaches, but from data security and the GDPR compliance in general.
While these lawsuits will still occur over matters of personal privacy, data breaches will also be a key legal issue, especially if the breach occurs because of non-compliance with the GDPR.
All of these factors will result in heavy losses of revenue. No business can afford to be non-compliant with the GDPR.
How to Prevent a Data Breach
Make no mistake, even if your company isn’t physically located in Europe, it will still be subject to all regulations from the GDPR if they offer goods or services to EU citizens or monitor behavior that occurs within the EU. Many companies fall under that definition, regardless of physical location.
What can be done to make sure these data breaches don’t happen? Becoming educated on the requirements of the GPDR is the first step. Reassessing your current data infrastructure and readiness for the GDPR will help gauge what needs to be changed to be fully compliant.
In addition, having a solid data management strategy will be a major benefit. Creating a completely fleshed-out process for developing and maintaining a strong security plan will also be important moving forward.
By following these steps, extensively preparing for the GDPR and updating your data security for potential data breaches, your organization will save millions in the long run.
ULG’s insights delivered straight to your inbox.
Thoughtful editorials from industry experts delivered weekly in bite-sized pieces.