It’s now six months since new General Data Protection Regulations (GDPR) came into force, putting organisations involved in handling data under unprecedented pressure to comply with a brand-new regulatory landscape. However, even organisations who think they’re on top of this area are at risk of falling foul – and making a mistake could cost your business dearly, says Barrister-at-Law, Quentin Hunt. Here are the key principles every organisation needs to adhere to in order to avoid massive fines and reputational damage.
Not in the EU? GDPR Still Applies to You…
It doesn’t matter where in the world your core operations are located: if your business trades with EU customers or collects data from EU citizens, then you still need to adopt data protection regulation that is as rigorous as GDPR, or more so. It’s certainly possible for a non-EU country to maintain independent supply chain deals without taking on the burden of equivalent obligations, but GDPR still requires ‘adequate’ protection to be put in place in order to allow EU members of the supply chain to pass information to the non-EU country. The key message is this: if your organisation is operating in a supply chain involving EU citizens, then GDPR will still apply to you, regardless of your own organisation’s location.
The Real Cost of Ignoring GDPR
Every strong business plan mitigates against fines and losses, but GDPR fines are at a level never seen before in data protection and have the potential to destroy a business. There are infringements that could incur fines of up to €20 million or 4 percent of worldwide annual turnover – whichever is higher. The recent Cambridge Analytica scandal saw Facebook incurring fines of £500K, but that’s only because the case was originally brought before GDPR came into force. Had the company been fined under the new legislation, the penalty could have been in a whole new ball park. Plus, there’s reputational damage to consider. If severe, a breach could impact massively on share price, leading to the possibility of class actions and loss of consumer confidence.
Technology Alone is Not the Answer
Many organisations wrongly assume that GDPR is purely about cyber security. But compliance by design and default is the GDPR mantra – it’s as much about controlling human best practice as automating cyber security measures to protect your customer data. In July, for example, the UK’s Independent Inquiry into Child Sexual Abuse was hit with a £200,000 fine after a staffer to the inquiry emailed 90 individuals regarding a forthcoming hearing. The staff member in question accidentally inserted the recipients into the “TO” field rather than the “BCC” field. It was a human mistake, and one that cost the organisation dearly. Technology has a role to play in GDPR, but there is also a crucial role for human judgement – and that’s a matter for management, not IT.
Whose Responsibility is GDPR?
GDPR is something that every business leader must fully understand and lead on. At the regulation’s core is the sanctity of personal data, regardless of whether you’re operating a processor-controller relationship, a customer marketing supply chain or a direct marketing operation. GDPR revolves around the concept that any personal data, held in whatever context, belongs to the individual and that businesses are simply custodians. It represents a fundamental change in the way that every organisation uses, manages and protects data – and ignorance or naivety will be no defence at all. Make no mistake, it is absolutely an executive responsibility to ensure that your team understands what GDPR means for their job.
Quentin Hunt is a Barrister-at-Law with a specialisation in litigation and advisory matters encompassing Data Protection, Compliance and the Criminal Law. He advises clients in all aspects of Data Compliance and GDPR compliance, applying his perspective from his Criminal Law and Litigation experience. He can be reached directly at Quentin Hunt’s criminal defence website.