EU Data Protection Regulation Monster Fines Catapult Cyber Security to Board Level

EU Data Protection Regulation Monster Fines Catapult Cyber Security to Board Level

The European Union General Data Protection Regulation which comes into force across Europe in May 2018, with its monster sized fines, will catapult the issue of cyber security to the board room.

Administrative fines are Everest size at levels like the higher of Euro 20 million or 4% of global turnover (not profit). They are enough to put any company into bankruptcy so the issue of data protection and cyber security will become very important to an organization’s survival as of next year. And there are only 12 months to prepare, for the milestone and bulky Regulation.

The only silver bullet to avoid breaching the regulation is to gain the “consent” of data subjects to the holding and processing of their personal data. But consent will be anything but simple to obtain. It has to be explicit, unambiguous and fully informed consent. And the onus is on the data controller to prove they have consent by keeping a paper trail of documents. Further the data subject must be informed of all their rights including the right to withdraw the consent.

Further, other than consent, another important precipitant issue is that the Regulation implies that all data has to be encrypted for safety, so there will be lots of work for IT departments as well as legal departments.

Finally, the Regulation takes the role of Data Protection Officer, which already exists and gives it statutory importance. Companies who are data controllers and processors with more than 250 employees, or those that process more than 5,000 data subjects information within a 12 month period, will have to appoint a Data Protection Officer. This person can be from within the company, or it could be a law firm that provides the service. The Regulation also tries to lessen the burden on small and middle sized companies and allows a part time consultant to fulfil the role.

It’s time to take cyber security seriously in the business setting, and more than additional employees, it will take a large dose of preparation to get up to speed before May of 2018 so you can fulfil your legal obligations and avoid paralyzing fines.

Lack of cyber security can put your business into bankruptcy given the new European laws that will apply uniformly across the European Union.

EIMF is offering a seminar on 11th and 12th of July, with title EU General Data Protection Regulation Workshop and it is approved by HRDA. If you are interested, please click here for more details about the seminar.


By Dr. Nick Skrekas

International Lawyer and Economist

Seminar Speaker at the European Institute of Management and Finance