Will GDPR Kill Unsuspecting Businesses?
The new data protection rules known as General Data Protection Regulation – or GDPR for short – go into effect in less than four months, yet many businesses are woefully unprepared.
GDPR is a set of European regulations that govern the collection, utilization, and protection of private information belonging to residents of the European Union (EU), as well as similar information about non-EU residents but which is located on computer systems physically situated within the EU. The EU enacted GDPR with several goals in mind – primarily to provide Europeans with better control over personal information pertaining to them, as well as to reduce the complexity of privacy regulations throughout the region by establishing a single, relatively strict, EU-wide standard.
Many companies – especially those typically classified as small or medium sized – have paid inadequate attention to GDPR and its approaching May 25th deadline for compliance, sometimes dismissing GDPR as something of relevance only to larger enterprises and businesses in highly-regulated industries. In fact, however,
Businesses ignoring GDPR are terribly mistaken – and their mistake could be costly, or even fatal.
As alluded to above, GDPR does not apply solely to data collected in the EU – it applies to the data of residents of the European Union regardless of where it is collected, used, or stored; if personal information within your organization is about an EU resident, it is likely subject to GDPR protections – meaning that your organization must comply with GDPR. Even people who are not EU citizens – but who live in the EU – are covered, so, essentially, any businesses that markets goods or services to residents of the European Union must comply with the new regulations.
While, in theory, GDPR is limited in scope and only applies to companies that meet specific criteria – for example, related to size, locations, and the data they handle – the reality is that the criteria are broad enough to reasonably include not only most European businesses, but also most American businesses that service Europeans in some fashion.
For example, if an EU resident vacationing in the US purchases electronics from your company’s website, books a room via your shared-economy lodging app, or uses your online dating/social network, GDPR may apply to the personal information that you collect when dealing with him or her. (Please consult a lawyer for the specifics regarding your own business’s data.)
Clearly, then, European and American companies need to be prepared to comply – but, according to many who have studied the matter, many, if not most, are unlikely to be anywhere near adequately ready by May 25th. In fact, analysts at the research firm, Ovum, found that even when one includes EU companies, executives from more than half of firms polled expect their firms to endure fines for GDPR non-compliance!
In fact, GDPR-non-compliance penalties can be quite severe – GDPR allows regulators to fine companies as much as 4% of revenue or 20 million Euros whichever is greater – considering the revenue levels of many smaller businesses, and the profit margins of many larger ones, this means that failing to comply with GDPR can literally transform a profitable company into one losing money, or even force a firm into bankruptcy.
To put things in perspective, the consulting firm, Oliver Wyman, described the arrival of the GDPR compliance date as a “Tsunami,” and calculated that had GDPR been in effect over the last five years, the members of the FTSE 100 Index alone would likely have been hit with 25-million Euros in fines.
Of course, the damage from non-compliance is not limited to the dollars or Euros lost to fines. Even if regulators “went easy” on a smaller firm, the bad publicity resulting from the disclosure of non-compliance could scare away both prospects and existing customers. It is also naïve to think that litigators will not pounce on the opportunity to sue firms that regulators have found to be negligent with people’s private information.
Can firms comply with GDPR with last minute efforts?
Such an approach seems unlikely to produce the optimal results, to put it mildly.
GDPR is long and complex – consisting of about 100 articles – with many requirements within them established using somewhat vague terminology (e.g., the use of “appropriate” and “reasonable” to describe levels of security), and potentially requiring interpretation by corporate technical professionals, experienced information-security and privacy experts, compliance officers, and legal counsel. Furthermore, in some cases, GDPR requires that a firm appoint a qualified Data Protection Officer; competently carrying out such a mandate at the last minute would clearly be quite challenging.
In short, companies need to understand that unless they have looked into the matter and determined otherwise:
1. GDPR’s requirements apply to them
2. If they don’t comply with GDPR’s requirements, they may face devastating consequences
3. They need to get to work on GDPR compliance as soon as possible; a good first step is to utilize a free assessment tool, so you can figure out where you stand and what you need to do.
For tips on GDPR, please watch the webinar, The Framework for GDPR Compliance, featuring Forrester Research, now available on demand.
This post sponsored by Egnyte.