By Vidhi Desai, Senior Principal Product Marketing Director, Cloud GTM Security, Oracle
With the May 25 deadline for the European Union’s General Data Protection Regulation (GDPR) fast approaching, the reality is starting to hit home for companies of all sizes.
There are hefty fines for noncompliance from the European Commission, but that is only part of the story. The ultimate toll for failing to adopt these important data security measures is arguably far greater, particularly for small-to-medium businesses (SMBs).
By this point, most companies, regardless of size, location or industry, have heard about GDPR. While this regulation is aimed at giving European Union (EU) citizens more control over their personal data and identifiable information, GDPR has far-reaching implications not just for large European companies and multi-nationals, but for SMBs based outside of the EU.
Nevertheless, many non-EU SMBs still assume that GDPR doesn’t apply to their business – when in fact even indirect connections to EU citizens, such as an employee's spouse, put companies in the purview of this regulation. Have no mistake: The EU-U.S. cross-border connection is strong when it comes to GDPR requirements!
Other misconceptions abound. One that comes up frequently, for example, is that regulators will initially focus on the largest companies, buying smaller enterprises more time to comply with GDPR requirements. The reality is that enforcement of GDPR will be coming from many different angles and include various data subjects, including individual consumers who suspect and report data security concerns.
Meanwhile, any security breach would immediately raise the question of compliance. Given that cybersecurity attacks against SMBs have become more prevalent and data protection has become more important than ever, no organization should assume that it is absolved from the new EU regulation – all SMBs should be GDPR-compliant.
In a global economy where data is a valuable resource, more companies have come around to the idea that GDPR compliance is more than just a regulation – it's an opportunity.
Moreover, the cost of non-compliance is significant, whether infractions come to light via a routine audit of data protection, or a data breach.
GDPR fines will be issued under two levels, based on the nature of the infringement, the type of data, and the history of infractions, among other criteria. The lowest level of GDPR fines will be up to €10 million, or 2% of worldwide annual revenue of the prior financial year, whichever is higher. The highest level of GDPR fines, meanwhile, can go up to €20 million, or 4% of annual revenue turnover.
In addition to these penalties, EU and U.S. companies will need to contend with the cost of legal counsel, mitigation, customer relations, and public relations if they don't prepare for GDPR readiness.
Finally, and perhaps most worrisome, is the potential damage to a brand’s reputation. While the impact of reputation is often impossible to quantify, it is arguably one that matters most of all. For growing SMBs, the loss of customer trust – via personal data breach, fines GDPR fines, or otherwise – could be the death knell of a business.
Given everything that is at stake, updating security practices and infrastructure for GDPR before the end of May 2018 is a small price to pay for ensuring the ongoing success of your organization.