GDPR is due to be implemented on May 25th, 2018 and the regulation places important new obligations on any business that handles the data of individuals living in the EU, independent of where the business is located. GDPR gives individuals more say over what organizations can do with their data, with strict fines for non-compliance and breaches. With new obligations on such matters as data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers to name a few, the GDPR requires companies handling EU citizens’ data to undertake major operational reform.
Penalties for non-compliance of GDPR will be applicable to both data controllers and processors and will depend on certain factors, including:
- Duration of the infringement
- The quantity of the data subjects affected
- Level of impact
For serious violation of the regulations, penalties businesses could be fined up to 20 million euros or 4% of global turnover, whichever is higher. Other fines carry penalties up to €10M or up to 2% of the total global revenue of the preceding year, whichever is greater. These punishments show it is important that compliance is met and GDPR is not ignored.
GDPR compliance is not just about fines or punishments, the risk of non-compliance can be extremely expensive in other ways. According to recent research, cyber-attacks can cost businesses anywhere from $14.00 to $2.35million per incident and data breaches and attacks are growing all the time. Therefore, the cost of an attack on an organization can have a significant impact. Lastly, there is the cost of the brand and reputational damage post attack.