Company data loss may go public
Budapest – 6 March 2017
In May 2016 the General Data Protection Regulation (GDPR) was adopted in the European Union, allowing a 2-year preparation period until 2018 for the organisations concerned. We are approaching the end of the first preparation year and based on Deloitte's estimates, the average Hungarian company engaged in the processing of personal data (either profit or non-profit companies, foundations, municipalities or state companies) still needs about 12-18 months to prepare for compliance and avoid colossal penalties.
Deloitte regards GDPR compliance as a business opportunity for the organisations concerned. However, in our experience companies do not handle compliance in a comprehensive manner (covering more than one functions), and do not have the necessary resources either.
Compliance with the rules pertaining to the processing of personal data as stipulated by the GDPR is not only a legal and IT issue but has serious process organisation and strategic implications, affecting various corporate functions: legal–compliance, IT, HR, communication, procurement, product development, etc. The current priority nature of the regulation and corporate data protection is well demonstrated by the enormous penalty that may be breaching the regulations could entail a penalty of 4% of the company's global net revenue, but EUR 20 million as a maximum.
Dr. Csaba Márkus, partner, Deloitte Tax and Legal, responsible for the Deloitte Privacy Program emphasised: "Another new and stringent provision is that in case of unintended loss of data in the course of processing high risk personal data, e.g. when the data subject loses his rights of disposal over his own personal data, the individual concerned must also be notified in addition to the data protection authority. This means that the fact of data loss may easily be published, which -- in addition to the penalty -- may result in the loss of faith and reputation."
As data is one of the most important assets of a company, the stringent regulations and requirements hide opportunities for optimisation: due to the unified regulations, data transfer becomes easier within a company group, and the data clearance needed for compliance will create value for the data processing units of a company. Also, due diligence procedures could highlight other deficiencies still in time for remedy.
The Deloitte Privacy Program, comprising complex strategy, business, process organisation, IT and legal services helps businesses and their leaders to exploit the business opportunities offered by a conscious data based operation through preparing for the GDPR, which is probably even more important than avoiding penalties.
„In a constantly changing Hungarian and international regulatory and legal environment Deloitte finds it important to provide support and regular information to its clients with a view to their tax compliance and thus help increase Hungarian companies' competitiveness in the local, regional and global markets. The Deloitte Privacy Program expert team and action plan were specifically set up to combat the challenges of GDPR compliance, as an addition to our advisory portfolio that also addresses the latest regulatory changes" - "Ákos Demeter said, Advisory partner of Deloitte Hungary, expert of the Deloitte Privacy Program.