The biggest reform in two decades is currently underway, touching businesses right across Europe. The EU General Data Protection Regulation (GDPR) published in May aims to strengthen data protection for EU citizens. It sets clear and modern rules for businesses, and bolsters data protection legislation.
As a result of the new legislation, the responsibility for reporting serious data breaches and bolstering an organisation’s cyber security—including any damages that its customers may experience as a result of a breach—may be placed upon the shoulders of the organisation’s directors and officers. Now that organisations will be responsible for reporting data breaches for the first time, directors and officers could be held accountable if they fail to bring their organisation in line with the forthcoming GDPR rules.
In order to ensure that organisations comply with the new regulation and provide adequate cyber protection for their customers, suppliers, and employees, the GDPR has outlined a tiered fine structure:
- An organisation may be fined up to €10 million (roughly £8 million) or 2 per cent of its annual turnover—whichever is higher—for not properly filing and organising its records, for not notifying the supervising authority and data subject about a breach, and for not conducting impact assessments.
- An organisation may be fined up to €20 million (roughly £16 million) or 4 per cent of its annual turnover—whichever is higher—for violating the basic principles related to data security or for violating consumer consent.
The aim of these fines is to illustrate to directors and officers the importance of digital data compliance in their corporate efforts, system maintenance and responses to data breaches. Therefore, to minimise exposure to sizeable potential fines, organisations—regardless of size or industry—need to commit to implementing cyber security measures that effectively address potential cyber-attacks in a prompt and thorough manner.
While the GDPR will not be formally adopted until 2018, your organisation should begin implementing the necessary cyber protections and educating your employees on cyber awareness as soon as possible.
Source: Zywave Cyber Risks and Liabilities Newsletter April 2016