The General Data Protective Regulation (GDPR), implemented in 2018, has been a game changer for global businesses. Corporate clients will inevitably know one thing about personal data regulation: the fines are huge. Businesses could be liable for the greater of either €20 million or up to 4% of the annual worldwide earnings.
It is clear the European Union is much more interested in preventing data breaches than the United States.
There’s obviously a lot of work to become GDPR compliant. Depending on the corporate client, they see the regulation (and fines) as either a large liability or an even larger opportunity. The first sees privacy compliance as an expense to avoid. The second sees the competition avoiding Europe and focuses on expanding into the premium market.
You don’t have to beat the competition when it’s not there. GDPR compliance is not only a good business practice, but it makes the $20 trillion European economy accessible.
What is the GDPR?
The GDPR regulates and protects personal data for over 500 million people in the European Union and the European Economic Area. The information that must be protected includes names, email, criminal history, video, and even IP addresses, with a laundry list of restrictions regarding processing, transferring, and other company guidelines.
For US companies, it typically means sizable changes within the organization and setting up improvements to administrative, physical, and technological safeguards. Some companies may need to hire or assign a data protection officer (DPO). Changes, recommendations, and decisions will need to be recorded.
Sorry, but it is not as simple as “do this, don’t do this.”
Can GDPR compliance save money?
Reworking data protection policies is not a small job for most organizations. This includes training, reviews, audits, and a heavy focus on protecting personal information. The initial price may seem high, but compliance can connect businesses to a large market with limited competition, and dramatically limits future liabilities.
Data breach costs are increasing
First, data breaches are expensive, even in the United States. After state and federal fines, bad press, and angry customers, there are still lawsuits. Shopping giant Target paid out nearly $20 million when hackers stole their vendor’s login, allowing access to millions of financial records. Paying those attorneys was not cheap, either.
New requirements for US companies
Second, US companies will need to increase their information privacy practices with the upcoming California Consumer Privacy Act only months from becoming effective. Data companies generally, and all companies earning over $25 million per year, can face strong penalties for data breaches and failing to improve consumer rights for those in California. Companies may avoid the European Union but new regulations are coming regardless.
Data breaches mean lost clients
Third, clients are not happy when their information is mismanaged. Even if they don’t sue, they may stop using your services. Target has almost certainly stopped using the HVAC vendor that resulted in Target’s massive data breach. Facebook users have used the service less and less since the Cambridge Analytica scandal, and it is unclear if those customers will ever return.
FTC consent decrees can force improved cybersecurity requirements
The Federal Trade Commission (FTC) investigates and fines organizations for data breaches, commonly agreeing with the corporation on a consent decree. The consent decree will establish new standards for protecting personal information, typically mirroring some parts of the GDPR. For instance, the FTC has consent decrees with Snapchat, Fandango, Credit Karma, and of course, Facebook. It would be safe to assume the organizations decided against improving their information privacy standards before agreeing to make changes after a costly data breach.
GDPR fines are less than expected
Fourth, actual fines under the GDPR are minuscule, assuming you aren’t Google. Regulators have focused on larger companies that make their money on selling personal data. While regulators say large fines are coming, it is important to know those max fines come under a number of escalating factors.
Fiduciary duty to address information privacy
With all the potential fines and ramifications, there is now a fiduciary duty for company directors to identify, assess, and manage data protection and cybersecurity. Information privacy practices required under GDPR seem stringent for American business owners, but the improvements are a major step in limiting breach liabilities. Information privacy must become a bigger consideration in future business planning.
Use the GDPR as a competitive advantage
Changes are coming for US-based corporations. Whether that means state laws, federal laws, or consent decrees, there will be a bigger focus on data security. Considering the small GDPR fines, and huge potential liability for data breaches, aggressive businesses are getting a jump on improving information privacy and targeting European clients. Thanks to the GDPR, many international organizations have decided to stay away from Europe. That has dramatically limited competition in Europe.
A qualified privacy attorney can assist with developing privacy policies to protect both the business and their clients. Contact our attorneys to learn more about your options. Spengler & Agans offers a flat-rate legal checkup for startups and business needing a broad, overall legal review of their business and business practices, including privacy issues.