The Price Of Compliance: Study Uncovers GDPR Costs 10/26/2017
Much has been written about the penalties contained in the General Data Protection Regulation. What will it cost to comply with GDPR? It will run around $1 million just for technology, according to a survey by the global law firm Paul Hastings LLP. Specifically, firms listed in the Financial Times Stock Exchange 350 expect to spend £430,000 on technology and Fortune 500 companies expect to lay out $1 million. Only 10% of firms in the UK and 9% in the U.S. have purchased new technology to date. “‘Our research shows that, while large businesses are taking GDPR compliance seriously, there remain worrying signs that they may be falling short in planning for implementation next May,” states Behnam Dayanim, partner and global co-chair of the Privacy and Cybersecurity practice at Paul Hastings. “Dayanim adds that”£430,000 or $1 million may seem a large sum, but for many larger and more complex companies, it reflects a small portion of the technology. The news comes as a plethora of firms are announcing GDPR compliance solutions. Paul Hastings surveyed 100 general counsel and chief security officers at FTSE 350 companies, and 100 at Fortune 500 firms. Technology aside, companies are budgeting for new hires to deal with regulatory issues. Of those polled, 40% o the FTSE firms have allocated from £201,000 to £400,000 for new permanent staff. In the U.S., 34% have set aside $501,000 to $1 million. They are also preparing to shell out for legal advice. The survey found that FTSE firms have budgets for third-party legal support. 17% of the UK firms and 22% of their U.S. counterparts have no such budgets. Of course, these costs are only a fraction of what firms might be fined for violations when GDPR takes effect next May – up to 4% of their global turnover. Dayanim continues that “GDPR compliance can entail substantial revision to existing procedures and systems. Companies that haven’t yet begun already may find themselves in difficult straits come May; certainly, those that have been dragging their feet would be well-advised to strap on the running shoes and try to catch up.”
The final countdown to GDPR
The aim of GDPR is to harmonise data privacy laws across Europe and create a level playing field. A parallel directive affecting the processing of data by law enforcement authorities was agreed at the same time as GDPR, so the EU authorities are clearly taking a serious stance on this topic. Major knock-on effects GDPR brings significant changes to how firms must handle and process personal data. If you take a benevolent view, on the other hand, you will view GDPR as a fantastic opportunity to tidy up your data, reconnect with your customers and build better and more solid relationships. Let’s take the benevolent view and state that, first and foremost, GDPR is for all EU data subjects and their protection. Customer data belongs to customers and GDPR makes this clear. If you process data, new data governance obligations will apply and records of how you prepare and keep records of processing activities will come into force. New rights for data subjects A data subject is the living person to whom personal data relates. Under GDPR, data subjects will have far more control over their personal data and, quite significantly, the right to be forgotten. Data subjects will also have the right to data portability and, if they require more information on their data, organisations must make it easy to request such data and provide a comprehensive response within one month from the date of request. Data protection is not linked to a specific technology, and GDPR is principle-led for the protection of EU data subjects in general. A new concept of joint liability for both data controllers and data processors will come into force under GDPR. The data processors will be jointly liable to data subjects for damages unless they can prove, for example, that a data breach was not their fault. Data processors must report breaches to the data controller. Identify the areas of your business that may be impacted by GDPR; Seek help to design, develop and implement solutions in line with data privacy requirements. A force for good The GDPR preparation period is a great time to review your data – not just for the purpose of GDPR, but for business development reasons also.
What is GDPR? The General Data Protection Regulation is an EU regulation that will replace the existing Data Protection Act with effect from 25 May 2018. If you process an EU citizen’s data, all companies and individuals will need to comply with GDPR. Whilst it may appear similar to DPA, GDPR provides greater levels of protection and control to data subjects. As a result, GDPR will be more onerous than the current DPA requirements. The GDPR will apply to the processing of personal data by a Controller or Processor in the context of the activities of their establishment in the EU, regardless of where the processing formally takes place. It’s worth noting that despite the result of the UK EU referendum, this doesn’t alter the need to comply with GDPR as it still remains a legal requirement. The GDPR will apply to the processing of personal data by a Controller or Processor in the context of activities of their establishment in the EU, regardless of where the processing actually takes place. Criminal conviction data cannot be processed without a relevant derogation. The conditions for obtaining consent will alter under GDPR legislation. This means a soft opt-in is no longer permitted parental consent is required to process children’s data indirectly acquired data must not be processed without consent or notification and records of consent must be kept. The information to be provided at the point of data collection could change significantly. Privacy must be a constant part of any process design and privacy impact assessments must be carried out. Incident management controls must meet new breach notification requirements. Data subjects have new rights to request the erasure or rectification of data and to object to or restrict certain processing methods. Maximum fines for breaches will increase massively and the Information Commissioners Office now has rights to audit or to stop firms from processing data. Under the new legislation, the financial sanctions for breaches or non-compliance of GDPR will rise from the current maximum fine of £500k to a maximum fine of either 2% or 4% of group global turnover depending on the type of breach.