How to Pay Millions in GDPR Fines

10 Behaviors That Will Put Your Organization at Risk

If your company isn’t ready to comply with the GDPR, then you may need to sound the alarm. Fines for noncompliance could be 4 percent of your company’s annual global revenue. This is not a joke. If you don’t want to be responsible for putting your company in serious jeopardy, then review these 10 behaviors most likely to put your company at risk for noncompliance.

Everyone is talking about the EU’s General Data Protection Regulation, and it’s no wonder why. With 99 rules to comply with by May 25 — the date it goes into effect — GDPR compliance can be a daunting challenge.

But if you don’t comply, it will cost you. Penalties for violating the GDPR can be harsh: as much as €20 (about US$23 million, as of this writing) or 4 percent of your organization’s annual global revenue, whichever is greater. For some types of infractions, the maximum penalty is less: up to €10 million, or 2 percent of the previous year’s global revenue.

Nobody wants to pay that hefty penalty, right? Judging from reports, though, it seems that quite a few businesses may be in danger of having to.

Large global firms may spend as much as $7.8 billion on GDPR compliance, according to Bloomberg. Nevertheless, more than half of those organizations won’t be ready by May, consultants predict.

“If you want to dance,” the saying goes, “you must pay the fiddler.” Conducting business with EU citizens and businesses without full GDPR compliance can be an expensive dance, indeed.

By doing your due diligence, though, you can avoid the sting of strict penalties and harsh fines. To help, I’ve put together a list of 10 behaviors most likely to put you at risk for noncompliance and cost your business under the GDPR:

1. Collect personal data from EU resident citizens for one reason, then use it for another.

The GDPR requires you to ask permission to collect, process, store and share any personal data from EU citizens residing in any of the 28 EU member states and to state specifically how and why you are using the data. If you decide to use it for something else, you must obtain their permission again.

2. Share the EU citizen data you’ve collected with someone else — without notifying the data’s owner.

The requirement noted above applies to sharing data with anyone, including third-party vendors.

3. Collect as much data as you can, whether or not you need it.

The GDPR limits the personal data your business can collect, prohibiting, in most cases, information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and genetic, biometric, health and sex life or sexual identity data.

4. Don’t tag or track the data your business collects.

Under the GDPR’s “right to be forgotten” provision, any EU citizen who has permitted you to store or use their data also has the right to demand that you remove it from your system and servers — and from the databases of all with whom you have shared it. Since a 2014 court ruling granted EU citizens this right, 2.4 million entities, 90 percent of whom are private citizens, have reportedly had links to their personal information removed from Google. Without a good tagging or tracking system for all the data your business collects, you increase your risk of running afoul of this rule.

5. Have your customers sign a multipage privacy agreement full of legal jargon.

Under the GDPR, the privacy policy disclosing how you will process personal data must be “concise, transparent, intelligible and easily accessible,” written in clear and plain language and free of charge.

6. Don’t train your people in GDPR or data privacy and security.

Because people, not technology, are the weak link in privacy and security efforts, making sure everyone in your organization knows how the GDPR affects them, your organization and your clients can go a long way toward demonstrating a good-faith compliance effort should you be threatened with penalties.

7. Avoid the hassle and expense of a data protection officer.

The GDPR, via article 37, requires enterprises processing “large amounts” of EU personal data to designate a data protection officer. The DPO’s duties include informing the company and its employees (see number 5 above) about how to comply with the law, overseeing the training of data processing staff and conducting regular data privacy and security audits. DPOs also serve as the liaison between your enterprise and the authorities governing data-related activities. If there’s a request to remove someone’s data, the DPO gets it removed. If there’s a breach, the DPO reports it.

8. Don’t worry about getting hacked.

If your business’ systems or networks are breached and EU citizen data is compromised, you run a very high risk of paying the maximum fine.

9. Take your time reporting security breaches.

Under the GDPR, if your data is compromised, you must report the breach to the appropriate authorities and to the data owners within 72 hours of the incident. Failing to do so may cost you.

10. Do it yourself.

The GDPR has 99 rules, many of which are open to interpretation. Juggling all the stipulations using spreadsheets, or trusting your staff to keep track of where your business falls short is an easy way to fall out of compliance.

The high price of noncompliance may be the most widely known aspect of the GDPR that has many organizations scrambling to get everything into place by May 25. The good news is, careful recordkeeping can go a long way toward mitigating the penalties should you be found in breach of this regulation. How prepared are you to make the case for your enterprise?