The EU GDPR, enforceable for 3.5 months, hasn’t made too many headlines regarding the fines levied for non-compliance. Hopefully by now your organization is ready with the basics and have been moving forward with raising the awareness and understanding of behaviors and processes for everyone in the organization. Because the non-compliance fines can be €20 million or 4% of global turnover, whichever is higher, anyone doing business in the EU could face an insurmountable threat.
The reach of the stringent regulation transcends EU boundaries, member states and jurisdictions. Data controllers and data processors operating outside of the European Union’s geographic boundaries that handle the personal information of the Union’s residents are bound to abide by the mandates put forth in the GDPR.
The most jarring headlines appeared within hours of the GDPR going into effect when complaints were filed against Facebook, Google, Instagram and WhatsApp. While the amount of fines are not yet clear, Facebook, Google, Instagram and WhatsApp are potentially on the hook for about $8 billion collectively in lawsuits from this first major GDPR filing. Those heavy fines could lead to the impending catastrophe to most businesses, although may have little to no effect on the giants of social media. Point of fact, this was the first time that a non-profit organization represented data subjects in the exercising of their Article 80 GDPR rights.
The non-profit organization NOYB (None of Your Business) complaints are testing the entitlement of the organization to bring complaints on behalf of individuals under the GDPR. If the filing proves to be successful, there will be many more such filings in the near future putting any organization at risk.
This was also the first time that under Article 77 GDPR the complaints were not filed in the EU Member State where the companies have their headquarters, but rather in the data subjects’ country of residence. The complaints against Facebook, WhatsApp, Instagram and Google were brought before the local Data Protection Authorities in Austria, Hamburg, Belgium and France, respectively.
In July, as a result from the Cambridge Analytica data-harvesting scandal, Facebook received a £500,000 fine ($664,000) in the UK. Although this was not a result of GDPR enforcement, the Information Commissioner’s Office (ICO) levied the fine because Facebook failed to properly safeguard its’ users information from a third-party exploitation. Transparency was also lacking by Facebook in regards to how the personal data was potentially used. If this incident occurred after May 25th, under the GDPR the potential penalty for Facebook could have been an additional €1.7 billion euros (nearly $2 billion) from the UK Data Protection Authorities (DPA).
Cambridge Analytica, the former political data firm, abruptly closed its’ offices in Manhattan, New York and the affiliated UK entity, SCL Elections Ltd, no doubt as a result of the fallout. The personal information data mining scandal, first reported by the Observer, was executed through a simple Facebook personality app.
In July Google was fined $5.1 billion by the EU for antitrust practices around the Android mobile operating system. Yet another step in the direction that the EU means business, when it comes to penalties for intentional misconduct and business malpractice not matter who the company is.
Acceptance and understanding is the first step to prevention of the consequences of any intended or unintended misconduct that results in critical damage. The GDPR enables and empowers businesses to enhance the customer experience and trust by showcasing compliance and reliably, which in turn will increase business.
Organizations that respect consumer rights and give consumers control of their personal information and how it is used will be more likely to win new business opportunities and retain existing customers. Consumers will choose service providers based on robust data protection processes and procedures that are reflections of business compliance to the GDPR.
A not-so-well-known fact about the GDPR is the design is to make data protection compliance easier and less expensive for companies. The 1995 Data Protection Directive, predecessor to the GDPR, was used by member states to independently interpret the rules and create local legislation. The GDPR is a regulation not a directive. This means that the articles of the regulation apply directly and don’t need to be turned into laws, minimizing the interpretations and variations between member states. The current belief of the EU is this will collectively save organizations € 2.3 billion per year in operating costs.
Just as a Cyber Risk Management software aids organizations in effectively managing the integrated risk management framework of socio-technical systems, a supply chain management company touts GDPR compliance in an effort to win new contracts as qualified trusted supplier.
Training employees about the GDPR and the risks involved are crucial to compliance harmonization throughout the company. Moreover, increasingly aware consumers are giving close consideration to the terms and conditions of use and privacy policies provided. Those enlightened consumers shun services that violate personal space and are choosing to use alternatives that offer better personal data protection.
Further, consumers of the digital generation are increasingly aware of how their personal information is collected and on what terms the data is being shared. A transparent approach to the compiling and use of personal data is going to win increased customer confidence. It is only a matter of time before organizations that find round about means for collecting personal data for sales enhancement or manipulation will come under the scrutiny of the Data Protection Authorities. Therefore, companies should collaborate with the regulation and obtain consent from individuals after explicitly stating the purposes for which their information has been collected.
The new regulation is expected to bring consistency across the economies in the EU in terms of data collection and information protection standards, leading to harmony in practice and acceptance. The uniform platform will increase consumer trust in business establishments, which in turn will create new business growth opportunities across and outside of the EU.
Basic must haves for success:
A large scale change in an organization or an industry, either forced upon or brought about by future growth plans, provides business leaders with opportunities to adapt and innovate. Enterprises achieving consistent compliance through change management, policy and process revision, and application of best practices impacts their business in multiple ways
Therefore, embracing the GDPR guidelines as a means to incentivize your organization will provide:
The preceding article was designed to help you with adapting and innovating business acumen to ensure business continuity and longevity in an economic scenario where analysts are wandering, “When is the next recession?”