What if mis-managing customer data could cost your company 20 million Euros or four percent of global revenue – whichever is greater?
That’s the top penalty set in the European Union’s upcoming General Data Protection Regulation (GDPR), which will greatly expand personal data privacy and protection for EU residents when it takes effect on May 25, 2018. The numbers seem so excessive that many people assume it’s a scare tactic rather than a real threat.
There’s no way to know for sure if the EU will pursue gigantic fines, but guidelines released earlier this month by EU regulators should give pause to GDPR deniers.
“Consistent enforcement of the data protection rules is central to a harmonized data protection regime,” the guidelines declare. “Administrative fines are a central element in the new enforcement regime introduced by the Regulation, being a powerful part of the enforcement toolbox.”
Corrective measures, the guidelines continue, should be “effective, proportionate and dissuasive.”
In other words, the EU is putting a structure in place for authorities in each EU nation to assess fines under GDPR, and is encouraging them to set big fines for big violations. The largest companies are especially vulnerable, because the guidelines say the maximum penalty of 4 percent of global revenue applies to the parent company – not just an individual business unit that goes astray.
What would trigger these big fines? Among the factors covered in the guidelines:
- Top management deliberately abusing customer privacy rights, such as “selling data as ‘opted in’ without checking/disregarding data subjects’ views about how their data should be used.”
- Ignoring advice from the organization’s data protection officer (DPO), a new watchdog role required under GDPR.
- Organizations failing to adopt “structures and resources adequate to the nature and complexity of their business … (organizations) cannot legitimize breaches of data protection law by claiming a shortage of resources.”
In plain language, the EU is saying it won’t accept “the dog ate my homework” excuses. The only effective way organizations can protect themselves from potentially crippling fines is to understand the GDPR and follow its rules.
If you aren’t already deep into GDPR preparations, you can learn more at gigya.com/topic/gdpr. And thanks to our friends at the International Association of Privacy Professionals for flagging the guidelines document, which you can download as a PDF here.
By Jason Rose