GDPR Emphasises Accountability of Directors and Officers
In January, the European Commission published its draft of the EU General Data Protection Regulation (GDPR). The regulation is expected to strengthen data protection for EU citizens, set clear and modern rules for businesses, and bolster data protection legislation.
Under the new guidelines, the responsibility for reporting serious data breaches and bolstering an organisation’s cyber security—including any damages that its customers may experience as a result of a breach—may be placed upon the shoulders of the organisation’s directors and officers. Now that organisations will be responsible for reporting data breaches for the first time, directors and officers could be held responsible if they fail to bring their organisation in line with the forthcoming GDPR rules.
In order to ensure that directors and officers comply with the new regulation and provide adequate cyber protection for their organisation and customers, the GDPR has outlined a tiered fine structure:
- An organisation may be fined up to €10 million (roughly £8 million) or 2 per cent of its annual turnover—whichever is higher—for not properly filing and organising its records, for not notifying the supervising authority and data subject about a breach, and for not conducting impact assessments.
- An organisation may be fined up to €20 million (roughly £16 million) or 4 per cent of its annual turnover—whichever is higher—for violating the basic principles related to data security or for violating consumer consent.
The aim of these fines is to illustrate to directors and officers the importance of digital data compliance in their corporate efforts, system maintenance and responses to data breaches. Therefore, to minimise exposure to sizeable potential fines, organisations—regardless of size or industry—need to commit to implementing cyber security measures that effectively address potential cyber attacks in a prompt and thorough manner.
While the GDPR will not be formally adopted until 2018, your organisation should begin implementing the necessary cyber protections and educating your employees on cyber awareness as soon as possible.