The European Union’s GDPR — formally known as General Data Protection Regulation — comes into effect this Friday and will be the biggest update to data protection laws in decades.
The EU directive will see heavy fines imposed on companies who fail to meet new rules in an attempt to incentivise organisations to tighten up their handling of data.
Failure to comply will result in two tiers of penalties. The first fine is up to €10 million, or 2% of annual global turnover -– whichever is higher. This will be issued for any infringements of the organisation’s obligations, including data security breaches.
The second tier is up to €20 million, or 4% annual global turnover — again, whichever is higher. This will be applied to organisations that breach an individual’s privacy rights.
This could hypothetically lead to some eye-watering penalties for the world’s largest companies, but which would face the largest fines in the event of non-compliance?
Global annual turnover: $486 billion
4%: $19.4 billion
2%: $9.7 billion
The multinational retail giant is the world’s largest company by revenue. While it is headquartered in the US, it has subsidiaries operating within Europe, making it accountable to the GDPR.
More importantly, if a subsidiary company fails to comply, the fines will be calculated based on its corporate parent’s turnover.
This is according to the GDPR Article 29 Working Party, which states that the “concept of an undertaking is understood to mean an economic unit, which may be formed by the parent company and all involved subsidiaries.”
Walmart subsidiary Asda, for example, generates £22 billion in turnover.
But rather than being liable to a 4% fine of £880m, Walmart would be required to pick up a $19 billion tab calculated from its total revenue for a serious data breach committed by Asda.
If Asda and Sainsbury’s merger goes through, they would need to ensure that strict compliance is adhered to when combining any customer databases.
Global annual revenue: $256 billion
4%: $10.1 billion
2%: $5 billion
The Japanese car manufacturer will again be accountable to GDPR for the handling of its EU customers’ data.
Toyota Motor Europe reported 2017 sales of over a million Toyota and Lexus vehicles — all data pertaining to these customers will have to be compliant to the new regulations.
Toyota subsidiary Toyota Connected recently announced that it had established Toyota Connected Europe (TCEU), which aims to promote mobility services in the European market and ensure information security.
The announcement stated that its handling of big data collected from vehicles and analysed on a cloud platform will ensure the “security of processing operations in compliance with General Data Protection Regulation”, showing the far-reaching impact of the European directive.
Global annual turnover: $240 billion
4%: $9.6 billion
2%: $4.8 billion
In 2015, VW was found to have cheated emissions tests because it was deemed cheaper than halting production to invest in research and development for cleaner engines.
Similarly, many companies have failed to adhere to existing data protection laws because the fines have not been significant enough to make compliance more profitable. This will change under the GDPR, and Volkswagen seems eager to avoid another scandal.
One of the key pillars of the GDPR is consent, which, according to ICO.org.uk means “offering individuals real choice and control.” It goes on to say that “Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.”
Statements of consent must be clear and specific, demanding positive opt-in for mailing lists.
Royal Dutch Shell
Global annual turnover: $240 billion
4%: $9.6 billion
2%: $4.9 billion
Oil Giant Shell is the largest private oil company by revenue.
Back in 2010, the company suffered a security breach that saw the contact details of 170,000 employees and contractors become available on the internet, including private phone numbers and postcodes.
At the time, the Information Commissioner’s Office (ICO), the UK’s data regulation body, only had the power to impose a fine that would have likely been less than £5,000 if the company had been found guilty.
If a similar breach occurred under GDPR, Shell would be required by law to report it to the ICO within 72 hours.
In the event of serious non-compliance, the maximum penalty under GDPR would see almost all of their profits wiped out.
Global annual turnover: $224 billion
4%: $8.9 billion
2%: $4.5 billion
The US conglomerate holding company, headed by investment expert Warren Buffett, owns diverse portfolios that range from retail, to jewellery, and gas utilities.
Its operating subsidiaries include Business Wire, Duracell and Brooks Sports, with notable minor holdings in Apple, IBM, and Coca-Cola.
However, in the event of grievous non-compliance by any of these companies, Berkshire Hathaway would only be liable for a breach by subsidiaries over which it has the “ability to exercise decisive influence”.
Any infringement of GDPR by a minor holding, such as Apple, would therefore not be accountable to Berkshire Hathaway.
However, lawyers will be able to make a case that a parent company does not exert sufficient control over the subsidiary and in turn avoid paying a larger fine.
Global annual turnover: $216 billion
4%: $8.6 billion
2%: $4.3 billion
There are over a billion Apple products actively in use worldwide, making the technology multinational responsible for enormous amounts of personal data.
Apple has recently started removing iOS apps that fail to comply with its location privacy standards and sent emails to the developers for them to remove any code that breaks the directives, then resubmit the app when compliant.
An Apple blog post said:
As part of our EU General Data Protection Regulation (GDPR) work, we are undertaking Privacy Impact Assessments (PIA) of our major products and services and integrating PIAs as we develop new products and services.
Apple has also announced it will make it easier for customers to download a copy of any data stored with the company, ensuring that Apple is able to comply with the right to data portability.
In keeping with the primary goals of GDPR, the right to data portability aims to give individuals better control over their own data, and allow them to easily transfer their data to another provider.
Global annual turnover: $205 billion
4%: $8.2 billion
2%: $4.1 billion
If the second largest oil and gas company by revenue were a country, its GDP would be bigger than Ireland’s.
But that hasn’t stopped it drawing criticism for its funding of research promoting climate change scepticism and lobbying of climate change laws.
In the past, this has made it a target for environmental groups. In 2012, SecurityWeek reported that vigilante hacking group Anonymous claimed to have leaked 316 email addresses and hashed passwords.
These were allegedly taken from a cracked ExxonMobil database as part of operation ‘SaveTheArctic’.
Under GDPR, the fines will be imposed on a case-by-case basis and must be “effective, proportionate and dissuasive”.
Given that ExonnMobil had more than 82,000 employees at the time, it is unlikely that they would have received a large penalty if a similar breach occurred when GDPR comes into effect.
Global annual turnover: $199 billion
4%: $7.9 billion
2%: $3.9 billion
Global annual turnover: $187 billion
4%: $7.5 billion
2%: $3.7 billion
In 2011, a BP employee lost a laptop containing personal data belonging to 13,000 Louisiana residents who filed claims for compensation after the Gulf of Mexico oil disaster.
Global annual turnover: $184.8 billion
4%: $7.4 billion
2%: $3.7 billion