Should you be worried that your company is not be completely ready for the introduction of the General Data Protection Regulation (GDPR), now is the time to take steps. The target date, for the introduction of GDPR, is 25 May 2018, and should your business not be ready for compliance by then it could face serious financial sanctions.
The classification of penalties has still not been is still to be revealed, but what is certain is that the possible highest penalty of €20m, or 4% of annual revenue (whichever is larger), is a lot higher than current maximum financial sanction fines.
Possibility of Maximum GDPR Fines
The imposition of the highest level of financial sanction will likely unusual. For instance, the current highest applicable fine in the UK is £500,000 and the highest fine that has ever been applied is £400,000. However, it is not possible to say whether a data protection authority (DPA) will attempt make an example of those businesses that do not adhere to the regulations.
More guidelines in relation to financial sanctions will be published by the European Data Protection Board (EDPB), prior to the May 2018 introduction date. Companiess should take note of this advice once it is published. It is also important to remember that other, yet to be announced, penalites will be available to DPAs.
Along with the cost of financial sanctions, business also need to consider the the damage their reputation can incur due to incidents such as data breaches.
All companies should, at present, be reviewing how private and secure their data access is and they should be formulating a data breach plan that includes reporting the privacy breach within the 72 hours which will be required under GDPR. They should be doing all of this not just because they do not want to face the cost of financial sanctions, but because they want to safeguard their reputation.