FTSE 100 companies could face fines of up to £5 billion a year if they don’t comply with the EU General Data Protection Regulation (GDPR), according to analysis by global management consultancy Oliver Wyman.
The EU regulation, which will overhaul the way companies acquire, retain and use personal data, will come into effect on 25th May 2018 – just 12 months away.
GDPR will allow EU consumers to ask why personal data is collected, how it is being used and how long it is retained for and to request that companies erase and stop processing their personal data. It will also allow companies to ‘poach’ data from rivals, if they can obtain customers’ permission.
Most businesses are not prepared to deliver this or to adapt to the consequences of losing their data bank. For serious breaches, firms will have to pay fines of up to 4% of their global annual turnover, or €20 million, whichever is the greater.
Had GDPR been in place for the past five years, the consultancy’s analysis shows that FTSE 100 companies could owe up to £25 billion in fines to EU regulators.
Chris McMillan, a partner in the data and technology arm of Oliver Wyman, said: “GDPR falls firmly in the consumer’s favour. With fines of up to 4% of global turnover, or €20 million on the table, non-compliance is simply not an option. Companies must prioritise data security with strong engagement from the top down.
“As well as meeting the basic requirements, and building a defensive moat around their data, savvy companies will use GDPR to their own advantage by ‘poaching’ data from rivals and even players from outside their industry. With consumer permission, there is nothing to stop a financial services company, from requesting data from a technology company or vice versa.”