Whichever way you look at it, GDPR will cost your company an eye-watering sum: FTSE 100 companies could pay up to £5 billion a year in fines, while compliance does not come cheap.
Research from global management consultancy Oliver Wyman suggests that FTSE 100 companies could face fines of up to £5 billion a year if they don’t comply with the EU General Data Protection Regulation (GDPR).
The maximum fine for companies in breach of the GDPR (which will come into effect from 25 May 2018) will be €20 million ($21.5m), or 4 per cent of annual revenue, whichever is higher. Oliver Wyman obtained the £5 billion figure by identifying FTSE 100 companies with significant customer interactions that have incurred a known data breach in the past five years. It used 2015 financial reporting figures and applied the fine (four percent of annual global turnover) to reach the total of £25 billion, or £5 billion per year.
GDPR spend is inevitable
The figures being presented are alarming but what's even more worrying is that, according to research by Veritas Technologies, the majority of companies are not confident their data compliance processes and policies are up to the job of ensuring customer data privacy as required from next May. CTMfile has previously written about the complexity of this issue here.
The research by Veritas Technologies suggests that companies will spend an average of €1.3 million ($1.4 million) on systems and training to comply with the GDPR. It also found that 65 per cent of companies are seeking external help to comply with the regulation, which will certainly come with its own price tag. Whichever way you look at it, GDPR will cost your company an eye-watering sum.
GDPR is 'tremendous opportunity for companies'
But it's not all bad news. Oliver Wyman's Chris McMillan believes there are some opportunities for companies that are able to engage with the new requirements and use GDPR to actually expand their customer database. He said: “As well as meeting the basic requirements, and building a defensive moat around their data, savvy companies will use GDPR to their own advantage by ‘poaching’ data from rivals and even players from outside their industry. With consumer permission, there is nothing to stop a financial services company from requesting data from a technology company or vice versa. Companies that don’t use GDPR to improve their customer value proposition will be left behind, and are likely to have their own data pillaged by their competitors.”
EY and Microsoft have announced a joint service to offer technology and processes to support companies in compliance and risk management for GDPR. EY's Angela Saverice-Rohan said: “The GDPR is unlike any other privacy regulation to date. It impacts businesses around the world, and creates challenges that won’t be solved by policy and procedures alone. Additionally, the GDPR presents a tremendous opportunity for companies to strategically manage their compliance in a way that achieves other important value propositions; specifically data enablement, process optimization and risk reduction.”
At the same time, the European Commission has estimated that the GDPR, while standing firmly in favour of consumer protections rights, will also be good for businesses. It estimates that, by removing the cost and administrative burden of having to inform national data protection authorities about what data your company is processing when accessing new markets, businesses could save about €130 million a year. The Commission also stated that removing obstacles to cross-border trade and enabling easier expansion of businesses across Europe could bring benefits to business in the region of €2.3 billion a year.
CTMfile take: Has your company already budgeted for GDPR? How much is compliance likely to cost you? Are the figures suggested by research realistic in your opinion? Or do you think your business could stand to benefit?
10 ways the EU data protection regulation could impact your company
Did you know that the EU data protection regulation could mean a €2.3bn boost for business? Here are 10 ways the GDPR will change things for businesses that process customer data in the EU.
GDPR: a year away but 86% of companies worried about compliance
By May 2018, companies will have spent an average of €1.3 million ($1.4 million) on systems and training to comply with the General Data Protection Regulation
Continuity risk to business from EU data protection laws
The EU General Data Protection Regulation has been adopted. Companies have two years to comply or face punitive fines and huge reputation risk, which treasury departments should take seriously.