Privacy, security, governance, risk, and compliance become mandatory in the EU in May of 2018. General Data Protection Regulation (GDPR) is a new regulation from Europe, which will affect anyone doing business in the EU. An organization merely has to have data on an EU Citizen, and the new data protection law applies.This will apply to a lot of US and other internationally based companies.
GDPR provides EU citizens with a wide range of rights that can be enforced against enterprises that process or store their personal data.This will severely limit what data, and how organizations process this data, compared to current or past practices. Now is the time to start preparing, as these new requirements could have significant impact on your business model and operations.
The penalties for non-compliance are severe, and the EU shows signs of heavy enforcement of the regulation when it goes into effect on May 25, 2018.
GDPR fines range from €10 million or 2% of worldwide annual revenue from prior fiscal year at the low end, to €20 million or 4% of the worldwide revenue, whichever is greater. €10 million converts to ~$11.7 million US dollars, which is the minimum fine. That is a quite substantial penalty, especially for smaller firms. In 2018 we expect to see more big data breaches, but the game is changing, because associated fines for non-compliance by the regulators (called a supervisory authority or SA) will be swift and severe compared to today’s standards.
To most of us, at least those of us used to working primarily in US dollars, or unless you’re an accountant, statements like “2% of revenue” sound fairly dry and theoretical. Here’s a recent, real world example:
Hilton Corp. had a security breach (really 2 of them) in 2015, and didn’t respond proactively enough. In November 2017 the state of New York Attorney general slapped a $700k fine on the company for losing 350,000 customer’s credit cards. The $700k fine is $2 per record, and Hilton reported revenues of $11.2 billion in 2015. This is .00006% of Hilton’s revenue numbers…yawn.
Under GDPR, this same fine would be $420 million dollars!
Given the company’s willful negligence in protecting the data, notifying consumers, and poor overall handling and response to the data breach, the maximum fines would be levied. Amongst other findings, Hilton took nearly 9 months to notify consumers of the breach.
But wait, Hilton is a US based company, and isn’t GDPR an EU regulation? Since Hilton has a substantial presence in the EU, even though they are a US based company, they will bound by the law just as much as an EU company. If you’re thinking, “I’m a small or medium sized business, who cares?” the same law will apply to you too if you do business with, or have data on EU subjects. As a hotel chain, they regularly have guests visit from the EU, and even if Hilton were 100% US Based, they would be in scope for GDPR since they have data on EU citizens in their systems, and failed to protect this information in terms of privacy and security.
The US hasn’t focused on privacy and associated security requirements like the EU has, where they view privacy as a fundamental human right, and guard it fiercely. This is going to result in a lot of US companies being caught completely unprepared, and we will see huge fines and sanctions as breaches occur. To ensure that individuals’ privacy remains intact, organizations must now apply a high degree of security to protect this information, monitor their systems and data and be able to detect an incident or breach, and have corrective measures in place, ready to go in 72 hours such as incident response and notification to consumers.
Are you ready for this? Are you affected? Here’s a simple decision tree to help out: