Experts at Cheeky Munkey provide guidance on what happens if you breach GDPR and how you can prevent it.
Since the implementation of the EU’s General Data Protection Regulation (GDPR) directive in May 2018, companies have been grappling with the practical implications of the law, which outlines an individual’s right to their own personal data.
Data has been big business for years, but with many consumers unclear about the value of providing companies with their personal information. One of the aims of GDPR is to give them control of their data. In turn, this could increase customer confidence.
GDPR in practice
For many companies though, GDPR has meant making significant changes to their operations. It isn’t just EU-based companies facing this reality either, any business that handles the personal information of an EU citizen has to comply.
The technology required can be costly, to the extent that some companies have simply stopped doing business in EU countries, including multi-player games sites shutting down their EU servers. Analytics service Klout ceased operations on the day GDPR came into force as did Tronc Media, whose websites remain inaccessible to EU readers over a year later.
How can companies ensure compliance?
Of course, shutting down operations is not an option for most companies, so GDPR compliance is essential. This means investing time, money and expertise in processes and systems. Among other things, GDPR requires:
- Keeping detailed records of data processing operations, in an electronic format.
- Being able to edit or delete an individual’s information.
- Being able to select how data is processed in order to comply with customer permissions, for example, when sharing data with third parties.
- Establishing a governance structure and procedures to ensure staff are aware of roles and responsibilities.
- Implementing appropriate measures to secure customer data.
This last point is particularly significant because cyber attacks represent a real risk. Ransomware, a type of malicious software (or ‘malware’), is the biggest cause of insurance claims against companies in the UK, because such attacks deny access to, and control over both company and customer information.
What are the consequences of a GDPR breach?
Given that we have had over a year of GDPR, most companies will have long since started altering their processes. Progress can be slow, but it is worth the effort, because if a company is in breach the impact could be even more costly. Potential losses include:
- Fines relating to data breaches
If a company experiences a data breach, for example through a Ransomware attack, they must notify the Information Commissioner’s Office and any other appropriate EU data protection authority no more than 72 hours after becoming aware of it. They must give details of the breach, and the authorities will then decide whether the company should be fined.
- Litigation from customers relating to data breaches
Businesses also run the risk of legal action by individuals impacted by a data breach.
- Directors, officers and professional advisors
A company’s most senior staff members may be held directly responsible if they are found not to have ensured GDPR-compliance. They are deemed responsible for putting the relevant processes and practices in place.
Additionally, if a business that suffers a breach sought advice from an advisory firm which turns out to be negligent, the company can bring legal action against the firm that provided the advice.
- Reputational damage
Companies that do not comply with GDPR also face reputational damage. Information about a breach can spread quickly, eroding trust. In addition, individuals who do not believe their data is being processed in a way that is compliant can report the company to the ICO directly.
What are the fines?
The ICO has two tiers of administrative fines. They are imposed on a case-by-case basis, depending on what specific article of the GDPR has been breached:
- Up to €10 million, or 2% annual global turnover – whichever is greater.
This is for infringements including consent for children’s data and processing that doesn’t require identification.
- Up to €20 million, or 4% annual global turnover – whichever is greater.
This is for infringements including data processing principles, data subjects rights and data transfers.
Becoming GDPR-compliant is not an overnight process, so if you have any concerns, conducting an IT security audit is a good place to start. This will identify what issues you still need to deal with and how these should be prioritised.
Interested in learning more? Contact us today and we will be very happy to discuss your options.