Fines are just one of the costs associated with non-compliance with HIPAA, PCI, SOX, and other regulations. For example, the largest HIPAA non-compliance fine to date was the $16 million fine levied against Anthem last year. As part of the settlement, Anthem also agreed to allocate an additional $115 million to pay for things such as credit monitoring for those affected by the breach as well as other claims, costs, and fees.
GDPR Fines Set a New Bar
Even though the Anthem fine pales in comparison to the total costs incurred, $16 million is more than just a drop in the bucket even for a large organization like Anthem. Just a little over a year since its introduction, the EU’s General Data Protection Regulation (GDPR) is making HIPAA fines seem downright insignificant.
On July 8, 2019, the ICO – the organization that enforces GDPR – announced plans to fine British Airways $230 million (USD) for failure to protect its website against malware that skimmed customers’ credit card information. Just a day later, they announced plans to fine Marriott roughly $123 million (USD) for failure to protect the data in its Starwood guest registration system.
Again, these are just the fines. No doubt, the class action lawsuits that started rolling in once the penalties were announced will further drive up total costs for these two companies.
Could Your Business Recover from a GDPR Violation?
Since the majority (though, by no means, all) of Connectria’s customer base is located outside the EU, it makes sense to pause for a moment to address a frequent question we get from customers: If I’m not in the EU do I need to be in compliance with GDPR?
If you’re transacting with EU citizens inside the EU (including online transactions), then the answer is ‘yes.’ It does not matter where you are located. The only thing that matters is where your customer is located.
EY conducted a survey in 2017 of 745 executives from around the world and found that only 13 percent of companies in the Americas had a plan to address GDPR in place. If you’re one of the 87 percent, you need to seriously consider your risks.
Currently, GDPR has two levels of fines – upper and lower:
- Lower level: Up to €10 million, or 2 percent of the worldwide annual revenue of the prior financial year, whichever is higher
- Upper level: Up to €20 million, or 4 percent of the worldwide annual revenue of the prior financial year, whichever is higher
Note, this is global revenue, not simply EU-related revenues. If that sounds like a raw deal for small and midsized companies, especially those based outside of the EU, you may be right.
Say, for example, you’re an up-and-coming SaaS solution provider. Your current global revenues hover around $200 million USD, but you have plans to grow. Europe is one of your growth markets, and although your revenues from the EU are only 10% or $20 million, you expect them to be 50 percent or more of revenues in the coming years.
One small blunder, such as a misinterpretation of the regulations, could cost you $4 million – very likely, taking a significant chunk out of your operating budget. If you committed an upper-level transgression, it could cost you $8 million.
Actually, per the levels above, the infractions could cost you roughly $11 million or $22 million (USD) if the ICO decides to pursue the maximum penalty. That small clause ‘whichever is higher’ makes a significant difference.
What are GDPR’s True Intentions?
Imagine the kind of damage these fine limits could do to a company with global revenues in the billions. As reported in Forbes in late May, Google, Instagram, WhatsApp, and Facebook have already had lawsuits filed against them and face up to $8.15 billion (EUR 7 billion) in fines. Critics are claiming that GDPR has now become a club the EU can use to keep big companies in line with their agenda. (Of course, there’s nothing to keep them from wielding it against small companies as well should they be so inclined.)
It’s not just the tech giants that are giving GDPR a serious case of side-eye. Two-thirds of business leaders surveyed by Ovum Research said they expected GDPR to force changes in their European business strategy. A majority (63 percent) said they think it will be harder for US companies to compete, and 70 percent think the regulation favors European companies.
Regardless of the reasoning and agendas that lay behind the latest GDPR fines, US companies need to protect themselves. TRiA, our multi-cloud management platform, can help you address GDPR compliance through tools that increase visibility across your cloud environments and automate an action, cutting time to remediation.