GDPR could endanger the business of many companies, and plenty of business owners and shareholders are rightly worried about the possible impacts of the GDPR, according to surveys.
The deadline is short and the number of changes you might have to introduce could be significant, so it is best to explore these issues right away.
GDPR: The Deadlines
The GDPR enters into force on 25 May 2018. By that time, every company and organisation will have to be fully in compliance with the GDPR provisions, no exceptions allowed. In fact, it could be said that the grace period is already passing, since the GDPR was adopted in the European Parliament on 27 April, 2016.
This allowed companies two years to adopt to the GDPR. However, this only works in theory since plenty of issues have not been touched upon by the privacy authorities and there are still plenty of uncertainties. What isn’t uncertain, though, is the threat of enormous fines dished out for non-compliance.
Recent surveys have shown that as much as 20 percent of all businesses feel they could get shut down by the GDPR. Over 86 percent felt that the GDPR could have a significant negative impact on their business. These rates are higher for non-EU companies.
This issue is exacerbated by the fact that the GDPR applies not only to businesses in Europe, where most already have to conform to stringent privacy rules and have at least a rudimentary idea of the requirements; it also applies to non-EU businesses who conduct business within the EU or offer services to EU citizens. They, too, could be at risk of fines, some even unknowingly.
Shock and Awe
The surveyed business-owners are right; the GDPR, or at least, non-compliance, could very well put them out of business. The issue with the GDPR is its global reach: even before ensuring you are compliant, you should first determine whether the GPDR is relevant to you. If you conduct any business in the EU, this is likely the case and you should start preparing as soon as possible.
Companies are concerned about data retention policies – how long should they keep their data, and when they should delete it. They also fear that their data management methods are inadequate – and the lack of concrete guidance does not help at all.
Companies should enact privacy-by-design measures, conduct Data Protection Impact Assessments and ensure that the individuals’ rights to restrict processing and delete data are always respected.
The possible penalties are huge. There are two tiers of fines. The lower tier is reserved for minor offenses, while the highest tier concerns grave data security issues. The less serious transgressions are fined with a fine of up to EUR 10 million or 2 percent of the company’s global annual turnover, while the more serious ones see double that number. Note that the higher figure applies. A large company with a turnover in billions could, theoretically, be forced to pay hundreds of millions in fines.
Article 83 of the GDPR outlines the infringements that can be fined. The lower tier encompasses infringements such as:
- failure to implement appropriate security measures
- late breach reporting
- lack of record-keeping
- failure to designate a data protection officer
- lack of consent for processing of child-related data
- lack of cooperation with the authorities
More serious infringements carry more catastrophic penalty figures. These are:
- grave violations of basic principles for data processing and consent (as stipulated in Article 5)
- failure to comply with previously-issued regulatory order
- violations regarding data transfers to third countries
The good news is, as the UK’s regulator ICO let on, first offenders are likely to get sent off with a slap on the wrist, as long as they rectify the issue that led to regulatory action. The mechanism of regulatory intervention will, in principle, allow the companies to solve the issues on their own after a warning from the regulator, before the regulator proceeds with further action. Recent research has shown that the regulatory fines would be much larger if the GDPR had been in place for the last few years.
The regulators (supervisory authorities) will take into account various factors, such as timely reporting and cooperation, when determining the fine amount.
What Can I Do Right Now?
The best thing you can do is either to start preparing for the GDPR, if you have not, or hire experts to help you. There are a few things you can do on your own, though.
If you do regular personal data processing, you must hire a data protection officer. Even if you do not have to, it is still a good idea to at least outsource one part-time. They can provide you with a wealth of helpful data and save significant money on fines, even if they do not seem cost-effective upfront.
Then, start by sorting out consent. Though technically not required for current users and customers, you should re-evaluate your consent forms. Data processing consent requirements are more stringent, and you should ensure consent is explicit and voluntary.
Always report any data breaches that occur and get into a habit of documenting all data you receive from your customers. This will allow for easy response to their data requests (that you must answer to by law).
All these measures will require some expenditure, but it beats having to pay a huge fine once the GDPR rolls in. It is much better to prepare on time and avoid putting your business in jeopardy.