Let me ask you a question. Are you fully complying with the law on Data Breach Notifications that was introduced in 2016? Because there are a lot of rules attached with that law and yet there are not a lot of people or institutions that check if they are
Since 2016 companies have an obligation to notify the authorities when there has been a breach of their systems and data and personal details of costumers might be compromised or stolen. Once this happens and the authorities find that your security was insufficient or you waited too long to respond to the breach, you can get fined up to 820.000 euros or an amount the equivalent of ten percent of your annual revenue.
These fines are about to increase dramatically. As of May 25, 2018, the Dutch Personal Data Protection Act will be replaced by the European General Data Protection Regulation. This European wide provision states that fines can be up 20 million euros or the equivalent of four percent of the annual worldwide revenue.
Another provision in the new European regulation is that companies that process a lot of personal data need to install a data protection officer (DPO). This DPO has the sole responsibility of making sure that all security measures for data protection are in place and that should something go wrong report to the authorities.
The new regulations are a good step towards securing data and making the Internet a safer place. But if you are a smaller company and work with a lot of data, this could bring you in trouble on multiple levels. For instance, hiring a DPO is a costly business and can really dip into your revenues.
The fact that fines are being raised is a better incentive for companies to comply than they have today. But still, who is checking that? Should that even be a governmental institution? Their track record isn’t that spotless, to say the least. So why not go back to the old days, where the Internet regulated itself? The industry knows what needs to be done to protect our data, let it check that they comply. Let’s use our common sense here, because a 20 million euro fine is not an amount that you can put in your books just for making a mistake.