The GDPR came into force on the 25th of May 2018 after four years of debate and preparation before being passed by the EU Parliament last year. The rules and regulations stipulate how businesses should collect, process, and store the personal data of EU citizens, regardless of where they live. Any businesses that failed to implement GDPR-related measures by the aforementioned date, could find themselves in a difficult and costly situation.
As the way that businesses and companies collect and use data is being increasingly scrutinised, the privacy concerns of customers is increasing. It does not make sense for businesses of any size to take any unnecessary risks.
Those found breaching the GDPR regulations can expect to pay fines of up to EUR 20 million, or up to 4% of the total global annual turnover based on the previous fiscal year. These fines could cripple small or medium sized enterprises, and as citizens become more aware of their rights, the threat of breaches being discovered and reported is always increasing.
Exactly how much a government decides to fine a company is at the discretion of each jurisdiction. For example in the UK, the highest fine to date has been GBP 500,000, after two independent breaches were identified; including social media site Facebook and consumer credit reporting agency Equifax. Whilst there are no clear-cut guidelines, it is expected that the first cases in each country will set a precedent for future handling of such situations. It is however anticipated that all EU Jurisdictions will come down hard on those companies that choose to flout the law, or that fail to uphold their obligations.
It is also worth noting that fines are applied in addition to, or instead of remedies or corrective action that could be taken to alleviate the infringement. The relevant authorities in each jurisdiction will look to a statutory catalogue of criteria to assist them in making a decision as to whether, and what type of penalty will be levelled against the accused entity.
But it is not just finances that can suffer as a result of failure to comply with the GDPR, there is also reputational damage that must be considered. Businesses cannot afford to make headlines for the wrong reasons and it is likely that consumers will avoid a brand if they believe that their personal data and information is not secure.
In addition, if a company continues to use customer data in a way that is not accepted by the individual, or they refuse to comply with requests, they will lose business as well as risk incurring penalties from the authorities.
A punishable situation such as a breach of security, a leak, the illegal collection and sharing of data, or communicating without the permission of the receiver, can be reported by any individual, authority, employee, customer, or potential customers. It is also possible for the company to self-denounce, or for the press to report such matters.
Whilst complying with the GDPR may be complex and require significant alternations to policies or processes, the benefits far outweigh the financial and reputational consequences that could be incurred as a result of failing to conform. Adhering to GDPR will not only allow a business to avoid fines, but it will also improve the relationship with the customer and authorities, as well as paving the way for better processes and business relationships in the future.
At BDO, our team of experienced professionals is dedicated to helping our clients succeed. We start by helping them understand their GDPR compliance obligations, before creating and executing a remediation plan designed to minimize cost and disruption while meeting all requirements. While every plan is specifically customized to meet each of our clients’ unique situations, our main services are aligned to support the most common GDPR compliance requirements.