GDPR: The Dust is Still Settling, But the Penalties are Real
The General Data Protection Regulation went into effect in May, pushing business owners with EU clients to scramble as the deadline approached. Those with the resources to comply have done so (for the most part) and those who don’t yet have the resources and information necessary to comply are still working on it (presumably). But as the well-prepared glide over the finish line and the stragglers put the final edits on their disclosure forms, the EU Commission has sent one message loud and clear: keep moving toward the goal…or else.
The GDPR allows fines of up to 20 million Euros or 4% of global revenue. (For perspective, that means that if the Cambridge Analytica scandal had taken place after the May 25th deadline, the $664,000 fine levied by the UK Information Commissioner’s office would have been about $1.9 billion.) So far, these fines and penalties have not been distributed en masse, but as the dust settles, warnings are likely to be issued and fines will follow.
At this point, the Data Protection Authority (DPA) in each member state of the European Union can determine how stringently the rules are enforced and which failed audits will result in warnings versus actual penalties.
A kind of grace period appears to be underway during which DPAs in a host of member countries are listening to complaints and deciding how much sympathy or leeway should be granted to both parties (customer and company) in each case. During this period, both large companies and startups are likely to receive at least some form of notice before external audits commence and penalties are put in place…but that’s no reason to slow down if you still haven’t met the criteria.
If you fall into this category, it’s time to prioritize. Work on two aspects of compliance before all others: providing proper notification to customers regarding the use of their data (no unreadable messages or legalese!), and putting systems in place that allow you to immediately recognize a breach and notify those affected. Other aspects of the regulation can come later, but these two should be at the top of the list, if you haven’t addressed them already.
Consider this quiet chapter a kind of gift, and act quickly to take advantage of the moment. Need support and guidance? Our teams are still standing by to address GDPR late-comers—get this task taken care of! We can help.