FTSE 100 companies could face fines of up to £5 billion a year if
they don’t comply with the EU General Data Protection Regulation (GDPR),
according to analysis by global management consultancy Oliver Wyman. The
EU regulation, which will overhaul the way companies acquire, retain and
use personal data, will come into effect on 25th May 2018;
just 12 months away.
GDPR will allow EU consumers to ask why personal data is collected, how
it is being used and how long it is retained for and to request that
companies erase and stop processing their personal data, with at least
ninety million gigabytes of data being taken back, estimates Oliver
Wyman. It will also allow companies to ‘poach’ data from rivals, if they
can obtain customers’ permission.
Most businesses are not fully prepared to deliver this, or to adapt to
the business consequences of losing their data bank. For serious
breaches, firms will have to pay fines of up to four percent of their
global annual turnover, or €20 million, whichever is the greater.
Had GDPR been in place for the past five years, the consultancy’s
analysis shows that FTSE 100 companies could owe up to £25 billion in
fines to EU regulators.
Chris McMillan, a Partner in the data and technology arm of Oliver
Wyman, said: “In the tug-of-war between companies and their
customers over personal data, GDPR falls firmly in the consumer’s
favour. With fines of up to four percent of global turnover, or €20
million on the table, non-compliance is simply not an option.”
Companies must prioritise data security with strong engagement from the
top down. Experienced Chief Data Protection Offices and Data Engineers,
already in short supply, will be in even shorter supply this time next
“As well as meeting the basic requirements, and building a defensive
moat around their data, savvy companies will use GDPR to their own
advantage by ‘poaching’ data from rivals and even players from outside
their industry. With consumer permission, there is nothing to stop a
financial services company, from requesting data from a technology
company or vice versa. Companies that don’t use GDPR to improve their
customer value proposition will be left behind, and are likely to have
their own data pillaged by their competitors,” added McMillan.
All UK companies will be subject to GDPR until at least March 2019.
Post-Brexit, companies dealing with EU citizens will still be subject to
About the research
Oliver Wyman identified FTSE 100 companies, with significant customer
interactions, that have incurred a known data breach in the past five
years. Using 2015 financial reporting figures, Oliver Wyman applied the
fine (four percent of annual global turnover) to reach the total of £25
billion, or £5 billion per year.
About Oliver Wyman
Oliver Wyman is a global leader in management consulting. With offices
in 50+ cities across nearly 30 countries, Oliver Wyman combines deep
industry knowledge with specialized expertise in strategy, operations,
risk management, and organization transformation. The firm has more than
4,500 professionals around the world who help clients optimize their
business, improve their operations and risk profile, and accelerate
their organizational performance to seize the most attractive
opportunities. Oliver Wyman is a wholly owned subsidiary of Marsh &
McLennan Companies [NYSE:MMC]. For more information, visit www.oliverwyman.com.
Follow Oliver Wyman on Twitter @OliverWyman.
View source version on businesswire.com: http://www.businesswire.com/news/home/20170521005043/en/