GDPR could cost FTSE 100 companies £5 billion in fines

04 August 2017 3 min. read

The General Data Protection Regulation (GDPR), which comes into force next year, could see businesses globally stung by around £5 billion in fines per year. The regulation will protect EU residents from a range of potentially abusive, manipulative and unsafe uses of their data, which means that companies may be caught out unless they update their practices radically.

The GDPR will be binding on businesses leveraging the data of EU residents, including those from the UK at least until 2019, thereby having an impact on all businesses globally. The regulation makes clear who owns peoples’ data – the people themselves – and spells out what can and cannot be done with that data. The policy aims to reduce the risks faced by customers with respect to what happens with their data; many of whom are relatively unaware of the true value, as well as the full extent of the implications of sharing personal information.

The new rules are set to have wide implications, allowing customers, among others, to ask companies why they are collecting information, as well as level questions about the duration for which the data will be retained. Furthermore, customers will be able to request that their data is deleted or no longer processed  unless retention of the same is required by law. Finally, companies will be required to turn over customer data to rivals if permission is granted by the customer, thereby creating a more fluid data environment.

GDPR could cost FTSE 100 companies $5 billion in fines

As it stands, businesses have until 25th May 2018 to bring their operations into compliance, with non-compliance resulting in hefty fines of up to €20 million or 4% of global revenues, depending on which one is larger. Many UK firms have a long way to go if they are to be compliant by 2018, with the current collective bill for data breach fines having recently doubled to £32 million over the past year.

New analysis from Oliver Wyman suggests that, in many instances, firms are not fully prepared for the new regulations. The study noted that were the EU to have enforced the rules over the past five years, around £25 billion in fines would have been levied on companies – based on the known data breaches over the same period. The EU has been known to levy harsh fines on anti-trust related behaviour meanwhile – fining Google $2.7 billion, Intel €1.06 billion, and Microsoft €860 million.

Banks, whose cybersecurity capacity systems have for some time been questioned, are particularly noted as being at risk from a failure – given the sensitive nature of the personal information they hold. Digitalisation continues apace in the industry, although many remain dependent on sometime insecure legacy systems; while some are seeking to leverage customers’ data for economic analysis. Other industries also face risks, with many companies across the UK unprepared for a breach in general.