Skip to main content

With GDPR a Year Old and CCPA around the Corner, the Risks for Non-compliance are Intensifying


After adopting the General Data Protection Regulation (GDPR) in 2016, the EU gave organizations doing business across the EU’s 28 member countries until May 25, 2018 to become compliant.

A year later, many organizations are still not GDRP-compliant. And just months from now, a similar law in the U.S. will go into effect: the California Consumer Privacy Act (CCPA). It will impact companies selling goods or services to residents in what is now the world’s fifth largest economy.

Separately and together, these two regulations will greatly influence privacy protection practices around the world.


GDPR: In force as of May 25, 2018. Designed to strengthen and standardize EU residents’ data privacy protections and rights over their personal information. Applies to all organizations located in the EU and to any outside it that offer free or paid goods or services to EU residents and/or monitor their behavior. 
CCPA:  Effective January 1, 2020. Impacts companies selling goods or services to California residents. Those residents will be able to make subject access requests of companies who have data on them and have a private right of action against companies found to be violating the law.  Fines can apply on a per-capita basis.


What is your business risking if you (and/or your vendors and partners) are not in compliance with these regulations?

  1. Very large fines – With GDPR, you can be fined up to 4% of your company’s revenue. 2019 opened with Google being fined $57 M by France’s top data protection authority.  And though only 91 fines had been levied as of Feb. 2019, nearly 60,000 data breaches have been reported. As regulators dive deeper into these notifications, we could see a sharp increase in the number and amount of fines being issued.1

With CCPA, companies in violation can face $2,500 to $7,500 in fines per affected individual. To put that in perspective, had CCPA been in effect during the Facebook/Cambridge Analytica scandal, with over 24 million users in California, Facebook would have faced exposure of up to $61.6 billion in penalties for an unintentional violation affecting each CA user, or up to $184.7 billion for an intentional violation.2 Pause and reflect on that!

  1. Brand reputation – You don’t have to look very hard to find companies whose reputations have been negatively impacted by data privacy issues. Marriott, Target, or Equifax have each suffered significant blows to their reputations and a steady erosion of consumer trust over recent years.

While these companies may seem strong enough to withstand this — when data privacy issues become associated with a brand, it can take years to rebuild customer confidence and loyalty. That can create openings for competitors — especially those who’ve built a consistent track record of dependability regarding personal data security and privacy for their customers. And if you’re a smaller business whose brand becomes associated with data privacy concerns, it can be devastating.

  1. Lawsuits from consumers – As underscored in a recent legal advisory publication, “GDPR gives individuals the right to bring collective legal action against non-compliant entities and, …unprecedented power to enforce their privacy rights…”3 

Moreover, before CCPA goes into effect, California’s Attorney General advocates strengthening it to expand consumers’ rights to sue companies over data privacy infractions.4 If this happens, CCPA will carry even greater risks for companies not adhering to transparent and rigorous best practices around data privacy and CCPA compliance.

  1. Reduced acquisition value — Harvard Business Review recently published, “Don’t Acquire a Company Until You Evaluate Its Data Security.” It shines a light on how data security issues can turn your company into a “lemon” on the market.

Stay current, stay rigorous, stay transparent, and get compliant with these new regulations.It will strengthen consumer confidence in your organization and raise your company’s attractiveness quotient when it comes to acquisition.


What are the best ways to get on track and in compliance with these new data privacy regulations — already starting to have sweeping affects across the globe?

  • Know where your customer information is. Our Compliance Services team outlined some important steps for this in this article put out prior to GDPR taking effect.
  • Be able to rapidly respond to subject access requests. The right technology will be critical to this. It can make or break your ability to swiftly sort through volumes of data and laser focus your search on only the applicable data. Read more about important considerations regarding SARs here
  • Confirm what your vendor and partner community is doing – you could be at substantial risk if your vendors and partners are not able to demonstrate their own compliance — especially with GDPR, which considers your company in violation if one of your vendors is out of compliance.
  • Don’t wait a day longer. The time to get in sync with these pivotal new standards and requirements is now.  Having an expert partner to help you get there fast will position you ahead of the curve with DPAs and put you in a stronger, trust-building position with consumers.

Numbered sources:

1 Nearly 60,000 data breaches reported under GDPR
2 Top 5 Operational Impacts of CCPA: Part 5 - Penalties and enforcement mechanisms
3 GDPR — Collective Actions Under Privacy Banner
4 California AG Wants to Add Teeth to State Data Privacy Law


Conduent is a digital platform and services company with data privacy solutions powered by the Viewpoint Integrated Analytics platform — enabling companies to proactively identify and remediate areas of risk affecting consumer or employee privacy rights. Conduent’s advanced analytics technology and subject matter expertise help organizations quickly respond to subject access requests, optimize performance and enhance accuracy and defensibility. Learn more on Conduent’s Digital Risk and Compliance web page.