A new report from leading data management consultancy has revealed that companies and other organisations across Europe are significantly underestimating the impact of the new European Union General Data Protection Regulations that will come into force on May 25 2018. This means that many will be failing to prepare adequately for it.
When the new General Data Protection Regulations come into force, they will require companies to adhere to much stricter rules concerning the way that they deal with customer data. The implementation of GDPR follows a number of high profile data breaches in Europe including TalkTalk, the Yahoo data breach and the recent ransomware attack called Wanna Cry which affected over 150 organisations across the world including Renault, FedEx, Telefonica and the UK’s National Health Service.
In the report, Consult Hyperion have warned that financial institutions in Europe are at a particularly high risk from not complying with the new European General Data Protection Regulations. WIth companies that do not comply with the new GDPR being at risk of fines of up to 4% of global turnover or €20m (whichever is higher), Consult Hyperion estimate that nearly €5bn of fines could be levied on them between 2018 and 2021.
Principal consultant at Consult Hyperion said that not only were the financial penalties for a data breach substantial, but that company executives who are deemed responsible for the breach could potentially face criminal charges. Speaking to the FT, he said:
“Data breaches are an unfortunate fact of life for financial institutions, and our analysis suggests that there have been no fewer than 27 data breach incidents among European Tier 1 banks in the last decade, with some banks as multiple offenders. Assuming European financial institutions’ data were breached 384 times over the three-year period, and were fined at the lower end of the GDPR scale at €260m per breach, penalties would total €4.7bn.”
The situation is potentially even worse in countries outside of the European Union such as the United States of America. Many US companies that handle the data of European Union citizens are completely unaware that the new European General Data Protection Regulations will apply to them.
Although it has been in the works since 2012, GDPR has taken on a whole new significance recently in the USA after an executive order from the US government was passed meaning that the GDPR will include extraterritoriality. This will require US companies to ensure that they have properly secured IP addresses and process the data of European Union citizens in a way that is compliant with the General Data Protection Regulations. Whilst most multinational American companies have made compliance with GDPR a priority, with 77% budgeting at least $1 million to comply. However, the situation does not look as positive when smaller US companies are looked at, with many even believing that the new European Union General Data Protection Regulations will not apply to them.