Beyond the risks of consequent financial losses and loss of image, the choice made by a company not to protect its data can strongly impact its development.
Let's take the example of a company that wants to open its capital to potential future investors. The latter will certainly want to carry out an acquisition audit beforehand, which will concern various aspects of the company, and in particular the analysis of the IS. In this case, non-compliance with the protection of personal data will undoubtedly prove to be a penalizing element.
The same is true when a company wants to obtain an ISO (International Organization for Standardization) type certification, and especially the 27000 standards, related to information security. Indeed, since 2022, the standard has been deepened with many concepts from the GDPR, including data protection via anonymization.
Even more impactful, non-compliance can have significant business repercussions.
When customers begin a data protection compliance process, they audit their suppliers to see if they are also compliant. If they are not, they will turn to other providers. In this case, the impact on the business, even on long-time customers, can be significant.
Non-compliance may also result in loss of business in the case of a tender. In the context of a public contract, the contracting authority will have to ensure that the subcontractor complies with data protection regulations. If not, the contracting authority will choose a more virtuous subcontractor.
Compliance risks are also regularly underestimated.
Every organization needs to be able to handle a request for the right to be forgotten, whether it comes from an employee, a prospect or even a customer. According to one of our recent surveys, 28% of respondents have already asked a company to apply their right to be forgotten, or right to erasure.
If an organization is unable to respond positively to these requests, the applicant may refer the matter to the data protection authority, which will audit and sanction the organization if it is unable to apply this right.
Moreover, the data protection authority is increasingly carrying out unannounced checks. If these checks were infrequent even a few years ago, the European data protection authorities now consider that companies have had ample time to comply with the GDPR, since its implementation in 2018.
If a violation of the personal data protection rules is proven, the consequences can be disastrous for the organization. Fines (up to 4% of the turnover or 20 M€) and loss of image come to mind, but there is a potentially even more dramatic risk: the administrative prohibition of the implementation of non-compliant processes. In some cases, this can lead to the suspension or even the end of the company's activity if it relies on these processes.
Any company that decides not to comply with the regulations on the protection of personal data would be exposed to considerable risks today. Whether they are financial, image, loss of business or risk of suspension of activity.
However, this compliance, although sometimes experienced as a real constraint, is ultimately virtuous for companies, since it strengthens confidence in its entire ecosystem, whether employees, customers, or subcontractors.