On 25 May 2018, an important law — GDPR, came into force with little awareness in the C-Suite and the Boardroom. The General Data Protection Regulation (GDPR) aims to harmonise privacy laws across European Union (EU) and protect EU citizens’ rights to privacy.
The main idea behind GDPR is to boost EU citizens’ protection concerning personal data. Personal data can include name, address, location, online ID, income, etc. However, EU Commission states that only 15% of individuals felt they have complete control over their data. This can impact a lot of people’s willingness to engage in online activities and propel the digital economy.
GDPR also is beneficial to businesses. It allows companies operating in more than one country to deal with a single law related to data privacy. Before introducing GDPR, the cost of dealing with 28 different Data Protection Authorities was estimated at €130 million. In addition, the economic benefits of a single law are estimated at €2.3 billion.
While GDPR is enacted in the EU, it is not EU-centric. Its effects are much broader and apply to organisations around the world. GDPR is quite explicit in its intent that it covers not only organisations based in the EU. Article 3.1 states that if an organisation processes personal data, regardless of whether the processing is within the Union or not, GDPR will apply. Thus, no matter where it resides, any organisation processing EU citizen data falls under GDPR.
Some experts argue that GDPR applicability is limited because of “… processing of personal data of data subjects who are in the Union …” However, consider the following scenario:
You’re a senior executive in a Council in Australia. According to the latest figures from Australian Bureau of Statistics, 6.7 million people in the country are born overseas. Thus, it’s almost a certainty, that in your Council area there will be residents who are EU citizens. If they never travel back to EU, there is no problem. However, if they decide to spend 6 months visiting relatives and a data breach occurs in Council’s systems, is GDPR applicable or not?
Ultimately, this is a question that only a lawyer can answer, or it may be decided in court. But the latter is certainly not something that a senior leader wants to be involved with. There are enough challenges in the daily working life already. So, naturally, the above scenario applies in the same way to retailers, banks, utilities, universities, etc.
And this is where the infamous 4% comes in. GDPR is likely the privacy legislation with the most painful bite (financially). Article 83.5 is quite explicit — “administrative fines up to 20 000 000 EUR, or ….. up to 4 % of the total worldwide annual turnover …., whichever is higher“.
So, let’s now have a look at another case:
You work for a large retailer. The turnover for the last financial year was €12 billion. The maximum fine under GDPR would be €48 million (4% of the turnover). The net profit is €151.6 million¹. A full fine under GDPR will result in profit decrease of 31.7% ( 48.0/151.6 = 0.31663). This is type of impact that sends share prices tumbling and makes institutional shareholders bloodthirsty.
Of course, the jury is still out on how well GDPR will be enforced, but given the sums involved, it’s better not to rely too much on the lack of enforcement efforts.
Which brings us to the question — “Where should the responsibility of managing GDPR implications reside?” Considering the substantial financial impact, it is logical to conclude that C-level executives and Boards should be the ultimate sponsors/owners of GDPR-related activities.
The implementation of specific measures/activities/processes/etc. will be performed by the Data Privacy Officer or a similar function, but the support must come from the top.
The figures in this scenario are from a real annual report adjusted slightly to protect the source.