As the introduction of the new European Union General Data Protection is less than a year away, it is being of increasing concern that many companies across Europe and beyond have not started their preparations for the new regulations with some not even being aware that they are to be implemented in May 2018. It’s not just European Union member countries that GDPR apples to, it is any organisation that process the data of any European Union citizen. This means it will affect many countries in every continent.
Furthermore, under the new General Data Protection Regulations, organisations will be forced to notify authorities of any branch within 72 hours of discovery. Failure to do so will result in punitive fines. As soon as the new General Data Protection Regulations come into force on May 25 2018, any organisation that is not compliant will face fines of up to 4% of their organisation’s global revenue or 20 million euros, whichever is higher. For many businesses around the world, these fines could be crippling and if they were subject to them, could cause them to close completely.
The reason for the high fines specified by the GDPR breach notification requirement was to put more pressure on companies to change that behavior says Nigel Hawthorne, EMEA marketing director at Skyhigh Networks, a cloud security company.
“To put this into perspective, the original data protection legislation was passed in the EU in 1995, so organizations have had over 20 years to get their act together — and some have decided it is more cost-effective to risk being caught out and fined, rather than be honest and admit to a breach,” Hawthorn said, adding that individual countries may add even more pressure. “In Germany, for example, there is a draft of legislation that can imprison people for up to three years for knowingly leaking personally identifiable information to increase the pressure to do the right thing.”
Patrick McGrath, the director of solutions marketing at Commvault comments that many organisations based in the USA could be in for a sharp shock as they may not realise that the new General Data Protections may apply to them. In many states, GDPR will be much, much more stringent than existing US legislation.
“A 72-hour notification window is far more aggressive than what is currently defined by U.S. state laws. Many U.S. companies are dragging their heels on GDPR and have a false assumption that they will not [be] impacted by GDPR regulations.”
He also says that it will no longer be simpler and cheaper to be non-compliant and pay fines.
“In the past, it was seen as less expensive to pay the fines if you got caught than it was to become fully compliant with regulations, which will require a significant number of business and data management practices. With GDPR, the fines are so significant and cannot be ignored. Organizations that provide visibility across all data sources and the ability to automate data policies will have a head start into their GDPR readiness”.
Drew Nielsen of Dhruva, the cloud protection provider agrees.
“While European citizens and nation states have been emphatic since the end of World War II about the privacy of their information, the same cannot be said for the United States. This lack of privacy awareness in the U.S. has translated into American businesses historically dragging their feet when it comes to breach notification.”