Editor's Note:
The opinions expressed in this article are solely those of the authors. The arguments identified in this article are compiled examples and do not reflect the individual experience of any one author.
Although there have been numerous warnings about the EU General Data Protection Regulation in news coverage, regulatory alerts, and marketing information over the past few years, at less than three months from implementation, many privacy professionals are still struggling with convincing their organization’s leadership to invest the necessary time and resources required to attain GDPR compliance. With other initiatives and regulatory requirements competing for executive attention (and accompanying resources), it’s unsurprising that a yet-to-be-enforced — and, for many organizations, “foreign” — regulation would be placed far down on the “to-do” list or get set aside altogether while the organization takes a “wait-and-see” approach.
Executives can justify their failure to pursue or prioritize GDPR compliance using a number of excuses; however, this inaction is misguided and potentially risky from both a regulatory and a reputational standpoint. Below are three common arguments and proposed suggestions to convince naysayers that proactive preparation is not just a better choice from a compliance standpoint, but one that will benefit an organization’s operations and increase its opportunities and consumer trust.
Argument 1: "GDPR doesn’t apply to our organization."
An easy out for executives avoiding GDPR compliance is claiming that the law does not apply to an organization’s operations because of its geographic footprint, customer market, or the nature of goods and services offered. For some, it’s an accurate belief.
However, plenty of misinformation has circulated about the scope of the GDPR’s applicability. When we performed internet searches for “GDPR EU citizen,” numerous articles appeared in the search results stating that the GDPR only applies to the data of EU citizens, which is erroneous. Under Article 3, the GDPR “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” The GDPR also “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union,” where the processing relates to offering goods or services or monitoring the data subjects’ behavior in the Union (emphasis added). The word “citizen” does not even appear in the GDPR.
While some organizational leaders misunderstand the regulation’s scope, others consciously choose to interpret the GDPR’s scope narrowly so as to exclude their operations from its purview. As other IAPP authors have explained, the GDPR’s applicability is not black and white. As a result, the answer to the question: “Does GDPR apply to us?” is often, “maybe.”
If your organization’s leadership is reluctant to undertake GDPR compliance efforts claiming “it doesn’t apply,” explain the regulation’s scope using the language of Articles 2 and 3, and add that a narrow interpretation of the GDPR’s applicability likely will not align with the views of EU regulators. If executives still believe GDPR does not apply, then that decision should be documented with supporting evidence.
Argument 2: "Even if GDPR technically applies, EU regulators can’t enforce it."
Some non-EU-based company leaders erroneously believe that, despite the regulation’s text, the GDPR is unenforceable beyond the boundaries of the European Union. Perhaps anticipating this argument, the GDPR’s drafters included a requirement in Article 27 that non-EU controllers and processors who offer goods or services in the EU or who monitor EU citizens must designate a representative in one of the member states where personal data is being processed. Companies subject to Article 3 without an EU presence could disregard this requirement and not appoint a representative. However, this decision fails to consider the vast network of cooperative relationships between EU regulators and authorities in other countries. The development of negotiated GDPR extraterritorial enforcement mechanisms with authorities in other countries is certainly possible. Even if no such mechanisms are implemented, why would an organization want to become a target of EU regulatory action even if there could be jurisdictional hurdles to enforcement?
The possible reputational damage associated with noncompliance is something organizations may fail to consider when making this excuse.
Argument 3: "The cost of GDPR compliance is higher than the cost of noncompliance."
A third common avoidance excuse raised by executives is that the cost of GDPR compliance is greater than the cost of noncompliance. This justification is also misguided, since the regulatory fines for GDPR violations can be as much as “20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.” Moreover, EU member states may levy additional regulatory penalties based on their own country’s laws.
In addition to regulatory fines, the GDPR provides individuals with the ability to be compensated for privacy violations even where the damages for such violations are “nonmaterial.” As a result, private individuals can assert complaints against organizations even if they have not suffered any financial harm. The ability to claim damages for a nonconcrete injury fundamentally differs from other jurisdictions’ laws requiring individuals to demonstrate “real” or “actual” injury.
Aside from regulatory fines and civil damages, GDPR noncompliance can lead to lost opportunity and reputational costs that can hurt an organization’s bottom line.
Aside from regulatory fines and civil damages, GDPR noncompliance can lead to lost opportunity and reputational costs that can hurt an organization’s bottom line. Non-EU organizations that want to grow their operations and expand into member state markets will be unable to do so without attaining GDPR compliance. We have seen mergers and acquisitions fall apart or proceed at a significantly reduced purchase price where targets could not demonstrate adequate compliance efforts. We have also seen vendor/processor organizations lose contracts because they could not meet their Article 28 obligations. Finally, consumer concerns about data privacy and security continue to rise as rates of identity theft and data breaches soar. Organizations that can assure customers that their data is being processed in accordance with the principles of Article 5 should realize a competitive gain, while organizations who fail to offer such assurances will likely falter.
Although the costs to achieve GDPR compliance can be significant, they are far less than the potential regulatory and civil penalties and lost opportunity and reputational costs risked by the alternative
The trend toward increased privacy and personal data protection obligations are expanding globally. The GDPR’s comprehensive requirements meet or exceed most other international standards and provide a road map for organizations to mature their privacy and data protection programs. Convincing reluctant executives to spend the requisite resources on GDPR compliance will not just satisfy regulatory requirements but will improve an organization’s worldwide competitive standing.