Enforcement actions just the start of GDPR costs

The General Data Protection Regulation (GDPR) is considered a significant piece of legislation in large part because of its novel approach to regulating privacy exposures, looking at the totality of an individual’s personal data. But there’s another reason for the GDPR’s landmark status: its teeth, in the form of potentially harsh penalties for organizations that violate its provisions.

Under the GDPR, enforcement bodies across Europe have the power to impose penalties of up to €20 million or 4% of a company’s global revenue in the year prior. Over the last five years, regulators have used this authority to hit companies with multiple fines of €100 million or more — but that’s only part of the cost presented by the GDPR.

Best-in-class security comes with a price tag

Many businesses subject to these regulations have invested heavily in better understanding their data collection, storage and usage. They’ve also implemented technology and infrastructure controls to protect data and sensitive information.

In taking these steps, these organizations can demonstrate to regulators and customers that they take pride in the protection of their customers’ information. In addition to potentially avoiding or limiting costly fines and penalties, these actions can help to mitigate possible litigation and reputational damage.

Even with extensive compliance efforts, businesses may still be subject to review and subsequent penalties by regulators. This is because they may not have fully addressed all compliance requirements and/or new and updated company protocols around data protections may not have taken into account all aspects of the law.

Lower than expected fines: the “cost of doing business”?

Some companies can easily absorb fines and move on. In part, this is because regulators have in the past reduced large penalties they had initially proposed following a show of mitigating factors currently in place.

In October 2020, for example, the U.K.’s Information Commissioner’s Office (ICO) announced a reduction of its initial penalty against an airline for violations of the GDPR, from a proposed £183 million to £20 million (opens a new window). While still sizable, this fine was far less damaging to the airline’s bottom line.

Some smaller and midsize organizations, however, cannot simply absorb a regulatory fine for violations of the GDPR. For these organizations, even relatively modest fines can significantly strain their balance sheets and profitability.

Even those larger organizations that can more easily afford the costs of regulatory penalties may not be able to absorb their ancillary costs. That’s because the costs of privacy law violations often go far beyond regulatory penalties, generally including brand and reputational damage to organizations.

Reputations affect topline growth

Another byproduct of the introduction of the GDPR — and subsequent privacy regulations modeled upon it — is that consumers are far more conscious today about data privacy than they were just a few years ago. This, in turn, has raised expectations for companies when it comes to implementing robust data privacy protocols.

This development has been exacerbated by social media, which can bring significant attention to even isolated or relatively small privacy breaches. Which can prompt action by both regulators and consumers, who are willing to vote with their wallets by supporting companies with reputations for superior data privacy protection. It’s thus no surprise that some businesses have used compliance with the GDPR and other regulations and an overall commitment to data security as a selling point.

Proactive investment creates opportunity

Amid this greater attention by regulators, consumers and investors, there are opportunities for companies that prioritize data protection practices. Becoming leaders in data protection requires that organizations be proactive rather than reactive.

This starts with building the right team, including selecting risk advisors and outside counsel with specific and strong expertise in data privacy and regulatory compliance. These advisors can take a hard look at an organization’s existing data protection framework, identifying potential gaps and deficiencies and prioritizing risk control measures.

Taking these steps can contribute to material improvements in risk posture, lower costs, stronger reputations and, ultimately, greater profitability.

This is part of a series of articles to be published on lockton.com about the GDPR’s legacy five years after its enactment. Read more about what the regulation has meant for US-based businesses (opens a new window), what it’s meant for UK businesses (opens a new window), and its implications for insurance (opens a new window). And look for our next installment, on the future of privacy regulation.