As one of Crayon’s GDPR Consultants I’ve talked to a number of customers about GDPR. The majority of these companies are based in the U.S. and are providing goods or services to European Union (EU) customers and who also have EU employees. Gartner predicts that by the end of 2018, more than 50 percent of companies affected by the GDPR won’t be in full compliance with its requirements. Most of the companies that I’ve met with are just starting their GDPR journey and are seeking information about how to implement GDPR. Many customers want to know what are the key articles of GDPR that need to be addressed, but primarily most customers are concerned with their GDPR compliance risk and want to know why is GDPR important.
Most of these organizations have heard about the GDPR penalty structure and are concerned about getting fined. GDPR fines are significant. The maximum fine is €20 million or 4% of annual turnover from the prior year and the minimum fine is €10 million or 2% of annual turnover from the prior year. In September it was announced that the first ever GDPR violation notice was sent by the U.K.’s Information Commissioner’s Office (ICO) and was issued to AggregateIQ a Canadian data analytics firm. The €20 million maximum fine was levied. The company has appealed the claims against it. It’s noteworthy that the first GDPR violation notice was sent to a company based outside the EU. ICO’s message seems clear -make sure you protect the personal data of EU residents, regardless of where your company is based. Most likely this is the first of many GDPR violation notices. Giovanni Buttarelli, European Data Protection Supervisor, has said, “I expect first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum.”
Reducing the risk of fines is one reason to ensure your organization is GDPR ready. But a more significant reason is to ensure your company has a competitive advantage. Organizations that can demonstrate GDPR compliance and effective control of data will have a competitive advantage. Companies that are GDPR compliant will want to work with other companies that are GDPR ready. GDPR compliant companies will require that your organization sign a Data Processing Agreement (DPA) to ensure you’re processing customer personal data per GDPR guidelines. Your company may lose business if you’re unable to sign DPAs. It’s foreseeable to predict future RFPs will include questions that ask if your organization is GDPR compliant or ask you to provide an explanation of how you protect the personal data of your customers. Customers will want to work with companies that will protect their data. The bottom line is companies and customers will do business with people they trust.
What’s the call to action? Start working on getting GDPR ready. Don’t focus on just EU personal data, include the personal data of all your customers. If you don’t know how to get started contact your local Crayon Key Account Manager or email@example.com to discuss the steps needed to go forward with a GDPR strategy. Don’t take a wait and see attitude. Implementing a GDPR strategy is a significant endeavor and it can take months to get GDPR compliant. Even after you think you’re GDPR compliant you’ll need to make updates to your strategy based on the various privacy laws that are enacted.