The EU General Data Protection Regulation has now been in effect for more than a month, and the changes it introduced have already been noticed by most businesses and the people whose data they use. Complying with the GDPR is of paramount importance as regards the protection of the right to privacy and of the data of physical persons. For this reason, and in order to ensure compliance, article 58 of the Regulation gives the competent authority of each Member State broad powers to monitor compliance and apply corrective measures in case of non-compliance.
One of the most important elements of the GDPR is the introduction of heavy fines for non-compliance. Article 83 sets out the general conditions for imposing administrative fines and prescribes two levels of fine depending on the nature and severity of the breach. The lower level, a fine of up to EUR 10million or 2% of worldwide revenue for the preceding financial year, whichever is higher, applies to less serious infringements and the higher level, a fine of up EUR 20 million or 4% of worldwide revenue for the preceding financial year, whichever is higher, applies to more serious breaches.
A fine of this magnitude could put many companies out of business, and companies are therefore obliged to take data protection very seriously and adopt all measures necessary to ensure that their organization is GDPR-compliant. However, given the difficulty of achieving 100% GDPR compliance all the time, companies should be prepared for the risk of fines and take steps to minimize the threat that they could pose to the existence and viability of the organization, for example by taking out a cyber insurance policy. Many companies indeed may choose to be insured against the risk of GDPR breaches rather than go all the way to being GDPR-compliant. However, it is important to note that, whilst an insurance may cover the costs of the fine and of resolving the breach, it will not cover the indirect consequences of the breach, such as the damage to the reputation of the organization, the negative press and the loss of trust on the part of customers and partners. The raised awareness that GDPR has caused, combined with recent data leakages and scandals, have resulted in unprecedented sensitivity regarding data protection. It is easy, therefore, to understand that harm done to the reputation of a company by privacy issues may be irreversible and have destructive consequences for the organization as a whole.
Data protection is not, and should not be considered as, a “luxury”, but instead, it should be a strategic consideration for every company, particularly those which process personal data. Companies that show insufficient respect towards data protection are vulnerable to a potential fine and all the consequences that come with it. The deterrent effect of finesunder the GDPR undoubtedly encourages companies to adopt a pro-active approach when it comes to data protection and the implementation of the GDPR does not depend solely on the competent authority of a Member State. Obviously, the competent authorities will need to monitor compliance properly and intervene where necessary to impose corrective measures and fines, and in order for monitoring to work they will need to be adequately funded and staffed. Given that funding comes out of individual Member States’ budgets, the effectiveness of national competent authorities may vary between Member States.
However, companies are enforcing GDPR on their own initiative not only due to the fear of financial penalties, but also because if they do not comply with the GDPR they risk losing their place in the market to those that do. Data protection and compliance with the GDPR has become a competitive advantage and developing a culture of respect towards data protection is important in building confidence in an organization and creating a trustworthy brand. The contribution of larger companies can be significant, since they are driving enforcement by requiring other smaller companies to comply with the GDPR, otherwise they will cut them off. Smaller companies are therefore obliged to comply with the GDPR so that they can compete with their peers and gain the trust of larger companies they intend to co-operate with.
In order to survive in this competitive environment, companies must ensure that they stay at the forefront of legal developments and that adequate resources are allocated for the adoption of the appropriate measures in order to fulfill the ever-increasing legal obligations that they are subjected to.
For further information on this topic please contact Antonis Vryonidis.