TL; DR Under the EU’s General Data Protection Regulation (GDPR), companies saw the risk of being issued a fine for non-compliance with managing customer data as less costly than implementing data governance and data privacy systems. But after Amazon was issued an $887 Million fine in July 2021, companies are recalculating the risk of non-compliance costs and are looking for new ways to introduce more robust data governance that will also allow then to benefit from data management beyond regulatory compliance.
Since 25th of May 2018, all companies worldwide with users based in Europe are required to abide by the GDPR. Theoretically, any organization that does not respect GDPR may face fines up to 20 million Euros, or up to 4% of their total revenues.
##GDPR entered into force without any tools to make it happen. Three years later, the market is still not ready to implement it.
So far, according to our latest report, the majority of companies are not compliant. And there is a reason for that: Policymakers and legislators believed that the market would adapt and create solutions to assist with data privacy and data governance compliance.
But the reality has been different. Companies are not able to implement GDPR. They are still struggling through their own digital transformation and with moving to cloud-based infrastructure. How can they be expected to also respect the high level of data governance maturity outlined as an operational foundation, as proposed by the GDPR? It’s impossible.
Even major vendors building and selling data privacy solutions are not able to deliver real compliance. Most of the time, they sell solutions that help their business customers be ‘theoretically compliant’. They define documents and processing activities in a static manner, not linked to what really happens in live business systems:
- 88% of companies still rely on Word and Excel for their GDPR compliance.
- The remaining 12% percent rely on software tools that could be considered as augmented versions of Excel, with specific data models (Gartner 2021).
The current compliance market and technology stack is flawed by design. This creates fragmentation, and challenges the status quo: all companies are at risk of fines, and still not able to be transparent about the use of personal data with their users, nor to transform to good data governance into operational efficiency. It's a lose-lose situation.
Millions vs Billions : Fines did not scare anyone until last week.
The smallest GDPR fine ever given was 28€, applied by Hungarian Data Protection Regulator on Google Ireland. With fines like this, GDPR was not scaring anyone. Even when the French CNIL fined Google $50M, GDPR fines were still considered as just a nuisance, not a punishing sentence.
That changed in July 2021. Up until the middle of the year, the total sum of all fines levied by data regulations authorities was around 300 Million Euros. While it may sound daunting for some companies to lose a few million because of a data breach, or because they kept customer data for a longer duration than permissible, the reality is that the cost of compliance is much higher than a potential fine.
It has been estimated that the total cost of GDPR compliance, just for the US market alone, is around $150 Billion. If you extrapolate that to EU companies as well as the global economy, the total would come to no less than a few hundred billion dollars to be (still only lightly) compliant. So when you compare a few hundred million Euros of fines over three years, versus a few hundred of billions to set GDPR up and maintain it over time, you can see why EU GDPR fines are really not that big a deal.
Courtesy of enforcementtracker.com, provided by CMS Law.Tax
Amazon’s fine is a game changer. It has made the risk event “getting fined for GDPR” finally a risk that for many companies agree is not worth taking. Now, every company has received the message: “don’t mess with GDPR”.
It is time to strengthen how your business is collecting and storing personal data
Before this news, the privacy software tool management market was estimated to be worth around $8Bn by 2023. But the Amazon fine will have industry analysts recalculating their assumptions. The GDPR stick is here, it is big and it hits hard. Companies will now be looking to raise their level of personal data governance to avoid paying for it the hard way.
Compliance with GDPR and building strong data governance systems that allow regulatory compliant use of customer data is not just about avoiding being hit with the penalty stick. There is another way to think about GDPR. Data governance that gives companies confidence that they can use data for innovation legally could be a carrot for many businesses and an enabler of value. Cisco’s 2020 Data Benchmark study shows that from more than 2500 companies interviewed, over 70% found that better personal data management:
- Reduced sales cycles
- Enabled greater agility and innovation
- Enhanced operational efficiency
- Decreased loss from data breaches
- Increased loyalty and trust with customers, and
- Increased company attraction to investors.
Furthermore, companies calculated that the average Return on Investment (RoI) from privacy technologies is around 225%: if they spend $1.2M on privacy technologies, they can make, on average, $2.7M from new innovation and reduced business costs. Other RoI calculations can be also applied to positive externalities like employee engagement and loyalty, ecosystem trust, and so on.
Every company will have to weigh up their own perception of GDPR compliance and privacy concerns, and decide if they want to simply avoid the stick or seize the data opportunity carrot?
Amazon’s fines arte alerting the industry to the need to enhance regulatory compliance, but no doubt many will wait until they learn the hard way. After all, the words of Confucius are just as applicable to our digital regulatory environment today:
"By three methods we may learn wisdom: First, by reflection, which is noblest; Second, by imitation, which is easiest; and third by experience, which is the bitterest."
PS: If you want to become a Privacy Engineer and want to be part of the team that is making GDPR compliance a reality by building easy to use APIs for developers, we are hiring roles from all over the world. Join ALIAS.dev today and reach me via firstname.lastname@example.org for a quick 15min discussion