Will Weak GDPR Sanctions on Data Retention Deter Compliance?

DZone 's Guide to

Will Weak GDPR Sanctions on Data Retention Deter Compliance?

The big players in the world of software can probably ignore the GDPR without a huge hit to their bottom lines. But will they?

· Security Zone ·
Free Resource

For the past 23 years, data security and privacy policies in the European Union were governed by the Data Protection Directive of 1995. EU lawmakers recently decided that these regulations were not sufficient for protecting consumer data in the 21st-century. They passed the General Data Protection Regulation to address security concerns created by technological changes that have taken place since the previous data protection guidelines were written.

While the new regulatory framework arguably has some valuable policies that were omitted from the previous legislation, it also creates some challenges. Many businesses are concerned that the new guidelines will be too expensive. Some experts warned that companies may find it cheaper not to comply with the policies. A recent article from Business Insider warned that Facebook and some other large brands were actually considering this option, which could cast the future of the legislative efforts into jeopardy.

Derrick Alling, the CEO of Atriark Inc. said that the actual implications of the policy are unknown.

Companies Express Cynicism Towards the GDPR

The GDPR has received extensive criticism from many stakeholders on both sides of the discussion. They warned that the policies are too convoluted and that enforcement will be very difficult to implement.

There are a number of issues that they have raised:

  • The framework allows regulators to be very flexible with the penalties. Actual fines will probably not be nearly as high as the law allows but gives regulators leverage to impose stricter penalties than the Data Directive of 1995 did.
  • Customers may not recall which brands actually collected the data. They may ask a brand to delete data that doesn’t exist, which could raise the possibility a brand will be fined for violations it didn’t even commit. On the other hand, this uncertainty could create reasonable doubt for brands that refuse to delete data and argue the user’s information was never secured on their servers.
  • The confusing language of the law requires organizations to pass very lengthy explanations of the types of data companies collect and the policies for allowing customers to have it removed. Many European customers may opt into the data collection agreement without even reading the new disclaimers required by the GPDR. Even privacy activists warned that the draconian policies may do more good than harm.

All of these factors will weigh on companies that are subject to the new data protection requirements. The question is whether or not these organizations will be motivated to comply in the face of these fines.

Will GDPR Penalties Encourage Compliance?

On the surface, the GDPR penalties seem severe. Companies that failed to meet these requirements can be fined up to €10 million or 4% of their annual income.

It is very unlikely that any regulator will approve a fine high enough to cripple any large company. This creates some uncertainty for companies, which may influence their decision to abide by some of the structural elements of the GDPR. They could decide that the cost of compliance exceeds the expected costs of regulatory sanctions.

Customer Pressure Could Help Encourage Compliance

Many organizations may feel that the GDPR is unnecessarily onerous. However, it was implemented to respond to growing concerns about customer data breaches. Even if companies are not overly concerned about the costly fines the new laws impose, they will still need to consider the problems customers will create for them if they don’t take reasonable precautions with their data and respect requests to withdraw from the data retention agreement.

Customers are becoming far more concerned about data privacy these days because a growing number of security breaches have caused significant problems for them. They will personally hold organizations responsible if they fail to develop reasonable data protection policies. Companies must also consider the expected loss created by civil lawsuits, which would not be nullified by the new data protection laws.

data security ,gdpr compliance ,gdpr data protection ,security ,security compliance

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}