The most talked about element of the EU’s General Data Protection Regulation has to be the hefty fines and penalties that organisations could potentially face for non-compliance. EU-based regulators now have the power to penalise businesses that don’t comply with the GDPR irrespective of where they're located.
Almost as soon as the regulation was implemented back in May, what hit the headlines were reports about tech giants like Facebook and Google being hit with a host of lawsuits amounting to around a whopping 8.8 billion dollars for violating some of GDPR’s provisions.
Last year, Hilton Domestic Operating Company was slapped with a $700k fine for two incidents where the hotel giant was hacked, exposing credit card and other information of 350k customers back in 2015. Under the GDPR, however, the company would’ve faced a maximum fine of $420 million dollars - or $1,200 for every customer record lost.
The severity of the fines has left businesses worldwide, especially those that deal explicitly deal with European customers, scrambling to tackle the daunting task of meeting GDPR compliancy requirements and ultimately, avoid the huge fines everyone keeps mentioning about.
What many may not realise is the fact that many of the GDPR’s fundamental principles around the collection and processing of personal data, such as requirements on consent, rights to access and deletion of data as well as transparency have been part of European privacy laws for a long time. The biggest difference with the GDPR is that it has much more bite to actually make a significant dent on where it matters most for any business, their profit margins.
But it’s not all doom and gloom. Far from it. What we need to do is take a step back and look at why the GDPR was introduced in the first place – to protect the rights and privacy of the data subjects. So the best way for your business to avoid the fines is to keep customers happy by making sure that any data that you collect on them are secure and used with their permission, only for the specific purpose that it was collected.
But in order to deliver the fundamental rights and protection that are afforded to the data subjects by the GDPR, first you need to truly know your data. You must know what types of data you collect, how you use those data and where you store them. In other words, you need to have much better visibility and control over your data. The second step, of course, is to ensure that you’ve done all you can to ensure your clients’ personal data is well-protected at all times and safe from being breached, stolen, shared or misused.
What a regulation like the GDPR actually gives businesses is the opportunity for them to improve their data privacy and security measures in line with modern-day requirements.
By making it mandatory for organisations to practice transparency in their data-handling practices and ensure that certain standards of security are met, businesses will be able to foster better trust with their customers. And that will only work to their advantage in the long run.