There’s no shortage of data security rules, regulations and laws that businesses in the US have to contend with. It’s not uncommon for them to compare the cost of compliance vs the cost of fines and choose to pay the penalties of non-compliance.
However, if you do business with member states of the EU and your organization stores/processes personal data of its citizens, GDPR is something you literally cannot afford to ignore.
The architects behind GDPR are aware that businesses do these cost comparisons and have helped make those calculations easy. Their solution: make the fines so massive, there’s no recourse but to comply.
Here are two examples of the GDPR enforcement fines in the regulation:
- For breaches against key points of GDPR such as the basic security principles for processing data, obtaining consent and requirements to internal transfers, the higher of 4% of annual global revenue or €20,000,000 can be fined.
- For lesser violations, like not having records in order, not following data breach reporting rules, or not conducting privacy risk assessments, the higher of 2% of annual global revenue or €10,000,000.
The biggest fine in 2015 issued by the UK’s Information Commissioner’s Office (ICO) was £400,000 against TalkTalk (weak security allowing a hacker to easily obtain customer data).
The smallest fine from GDPR dwarfs that.
In November of 2016, Tesco Bank, one of the largest banks in the UK, suffered an unprecedented data breach that reportedly resulted in money being stolen from about 20,000 accounts. The incident is currently under investigation by UK regulators. Fines of up to £500,000 could be imposed.
If the GDPR rules were in effect at the time of the TalkTalk and Tesco Bank incidents, the fines could be significantly larger. At least in the case of Tesco Bank, the fine could exceed $1BILLION.