I am not an attorney, and therefore this is not legal advice!
If you are working with Europe and/or have Europeans as clients, I hope the abbreviation ‘GDPR’ is meaningful to you! It stands for General Data Protection Regulation, put in force 25 May 2018. I even once had a lapel sticker that said, “I survived 25 May 2018!”
My point, under the overall ‘lessons learned’ mantra, is that in businesses dealing with business to client (B2C) and business to business (B2B) privacy issues, reputational risk currently exceeds financial risk, even with GDPR. I will use a point – counterpoint approach.
POINT: Unless you are operating in an industry when you are the only viable provider, your reputation keeps you solvent. Your reputation keeps your brand loyalty high. Just like a college football coach after a couple of losing seasons, your brand loyalty can evaporate quickly! So you want to be, and stay, the ‘best in breed,’ as they say in kennel club shows. And don’t forget, a reputational disaster not only negatively affects your client’s future decisions about you. A media feeding frenzy attracts politicians like blood in the water attracts sharks. They may well make headlines by denouncing your ‘negligent arrogance’ and ‘unbelievable incompetence’ in the media. Then they can go on to gain media credit for passing draconian laws that destroy your industry’s profitability in the long term. You may be in a commodity or non-commodity industry, and the effects may be short-term or long-term, but they are all bad!
COUNTERPOINT: GDPR fines can be huge! Whichever is higher: 20M euros ($24M today) or 4% of gross annual profits if you really tick off the particular countries’ data protection authority (DPA), $10M euros and/or 2% if they are in a more understanding mood. Masha Komnenic’s Dec 2025 update of GDPR fines will scare anybody.
https://termly.io/resources/articles/biggest-gdpr-fines/
But here is where the ‘fining’ gets muddy. Right now, even in Europe, privacy law enforcement, and actual fining, meaning money-from-your-corporate-coffers-to-their coffers, is confusing. We live in turbulent times for privacy regulations. Europe also has political/economic pressures and a particular country’s DPA’s viewpoint can determine just how strict a particular incident may be perceived. The best reference I have on the ‘state of privacy worldwide,’ is a new and superb, 60 page paper by Professor Daniel Solove, Bernard Professor of Intellectual Property and Technology Law, George Washington University Law School. Can we agree he is an expert on privacy law?
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=6083968
Getting most of my readers to have enough time to read a 60-page legal paper is a non-starter, although Dr. Solove writes clearly for laypeople like me. After reviewing his paper, here is my opinion:
Do you really want to play the ‘my attorney’s smarter than their attorney’ game? You might win in a court of law and lose in the court of public opinion, and even if you win in court the legal fees will be huge!
So what are the ‘Lessons Learned’ in dealing with GDPR?
- Only gather the absolute minimum personal information you must have to function. Securely destroy as soon as possible any information you do not need. Note to CEOs: Your statement to your team should be “Prove to me why we must keep this personal data,” not the reverse.
- Encrypt like your corporate life depended on it!
- Have documented and enforced policies and procedures that you would be proud to show anybody.
- Document great Data Processing Impact Assessments (DPIAs).
- Mind your manners and live within the rules – ask permission, not forgiveness.
- Court battles happen and can also be public/political spectacles. Always keep in mind your attorney’s battle gear. Do they have the best weapons and armor (steps #1-5 above) to win?
- Remember your US-based ‘sense of privacy’ should not be exactly the same as GDPR. You can be ‘too small’ to run afoul of U.S. privacy laws – GDPR, with some exceptions, does not have a minimum company size for its requirements.
Wherever you are working in the world, if you follow the GDPR in handling personal data, you won’t go far wrong. It may not apply in your country, but it is liable to be at least as stringent as the applicable standard. For example: GDPR requires ‘opt in.’ It will be a whole lot safer for you to use that standard than ‘opt out!’
*Disclaimer: We don’t get paid for references
thank your for this article, keep up the good work
Useful clarity for firms managing complex documentation
Valuable recommendations for export documentation accuracy