New EU Regulations put your Business at Risk
By Morten Boel Sigurdsson, CEO | February 2017
The threat of large fines in the coming EU General Data Protection Regulation (GDPR) may drive companies across industries to transfer the responsibility for protecting personal data to the companies they cooperate with.
One of the most frequently mentioned innovative features of the EU GDPR is that companies that compromise personal data can be fined up to four per cent of their annual global turnover. This applies to all companies that are responsible for such data, and not just large companies such as Facebook and Google. For these companies, this means that they can be subject to fines of an astronomic magnitude.
In purely legal terms, companies acting as data controllers are responsible for protecting the data that is covered by the new EU rules.
Data Controllers are Transferring the Risks
There are already examples of companies – particularly large ones – attempting to protect themselves from the financial risk by transferring the full responsibility of the risk to their cooperation partners, including IT suppliers, but also other types of cooperation partners, which process the company’s personal data.
Even today, we see that many companies are expanding their data processor agreements, which they enter into with their cooperation partners and suppliers. The consequence is that a mid-sized company that cooperates with a large company can be made disproportionately financially responsible for a fine due to a data leak.
Therefore, we see that many businesses will be reluctant to sign such agreements in their existing form when they understand the risk that they actually would accept.
For example, a small IT supplier with a turnover of EUR 40 million, which might have a customer with a turnover of EUR 1 billion. In case of a data leak, the supplier could face fines corresponding to its entire annual turnover.
Thus, the regulation creates what I would call an asymmetric risk, in which the risk that the supplier is asked to cover, most often far exceeds the value of the commercial agreement.This is a dramatic risk, for which the supplier hardly will be able to get liability insurance coverage. In many countries, it is even a principle that you cannot take out insurance against this type of fine.
The extent to which a company would sign such agreements depends on a number of things, including the company’s policies and willingness to take risks.
Strong Risk Management as a Competitive Advantage
A responsible management would want to control such a risk and the only way to reduce the risk, other than negotiate some reasonable agreements, is to be in control of security procedures and processes so they meet the regulatory requirements.
In this way, strong risk management becomes a competitive parameter, as agreements can be entered into, which others would not be able to, because the security conditions are under control.
This is because, if a company can document it has done everything that can be expected organizationally, process-wise and technologically, any fines would be dramatically reduced or be completely void.
Companies that can provide such evidence will consequently have a major competitive advantage when the EU’s new rules on the protection of personally identifiable and sensitive data come into force in just over a year.
The prospect of the coming EU regulation has already led to many companies becoming more conscious of the fact that they are not in control of their processes and security to the required degree.
Thus, companies failing to document that they take good care of their customers’ data will face a major challenge when the EU General Data Protection Regulation enters into application next year.
Establish a 100% Overview
At Omada, as a supplier of security solutions, we find that our customers would like to have a 100 per cent overview of the task they are facing within the processing of data security.
It is not just a matter of securing against malware or more-or-less ingenious attempts at hacking, but just as much that the companies ensure that only relevant employees have access to sensitive personal data.We experience a great demand for clear instructions about how a company can be in control of its risk with regard to EU GDPR, so that it can be turned into a competitive advantage by being at the leading edge.