Unless you have been living under a rock, you will be aware of the impending activation of the General Data Privacy Regulation on May 25th of this year. The shocker is that many organizations are only now beginning to realize the potential impact to their business of this new regulatory direction of travel. Cap Gemini estimates that many organizations will not be ready.\nThe impact of GDPR is so potentially devastating to an organization that it can be considered a watershed as to how regulators govern areas of public concern\nGDPR is audaciously crafted to ensure that the most significant tech companies of our time, Google, Apple, Microsoft, Facebook will be forced to take heed. Major public showdowns over the years between EU Commissioners such as Ms. Neelie Kroes and Ms. Margrethe\u00a0Vestager and these large enterprises have taught the EU that if one is to tame industry giants, regulation would need to be much bolder, even impudent, than what has gone before. Enter GDPR.\nThe compliancy requirements of GDPR in themselves are very reasonable. So reasonable, that a false sense of security prevails in the boardroom. That is why most companies have approached their GDPR challenge as a compliancy exercise. After all, you have lived and survived other compliancy regimes such as Sox, FDA, HIPPA, MifId.\nWhy change a successful approach?\nIn a nutshell, there are two reasons why a board member of a large organization should be concerned:\n\nThe effect of a combination of sanctions\nThe presumption of guilt when potential violations occur in its application\n\nThese new factors mean that every senior executive needs to consider their exposure to the effects of GDPR in addition to their compliance to GDPR.\nAs my colleague, Simon Walkden, explained in an earlier piece, GDPR will take some time to reach maximum force. The dangerous thing for business leaders is that the regulator believes you have already had a two-year transition period to prepare. So, what have you done? Do you now understand your potential exposure?\nDoes this affect you?\nCompanies with a strong domestic\/offshore culture might be particularly at risk of underestimating their exposure to GDPR. US companies, for instance, might not realize that they are fully liable for fines over their worldwide income for breaches of GDPR affecting any EU citizen. So irrespective of whether your organization is domestic to the EU or trading from outside of the EU; if you hold or process data from an EU citizen you are potentially in scope. A recent survey by Hytrust indicates that 80% of US companies are exposed to GDPR.\nTypes of GDPR exposure that can affect you\nThere are four types of exposure that can affect your organization:\n\nVicarious liability including a variation of class action suits\nRegulatory fines\nDirector\u2019s personal liability\nReputational risk through disclosure and investigation\n\n1. Vicarious liability\nIn the Morrison\u2019s case, working its way through the courts, a class action suit by employees seeks damages for a willful breach of their privacy by a rogue employee and while under appeal has been initially successful.\n2. Regulatory fines\nBecause this legislation was crafted precisely to address multi-jurisdictional reach, within and external to the EU, companies with recent breaches should hear alarm bells ringing in the board rooms. Consider what Equifax, Uber, Sony, and eBay would have experienced under GDPR? \u00a0A variation of class-action suits, personal liability for its directors and millions of dollars in regulatory fines (4% of global turnover, with a maximum of 20 million Euros for each infraction that involved an EU citizen.)\nGetting GDPR wrong can seriously impair and even destroy an enterprise. While some argue that the US Congress has overly protected Equifax following its recent breaches, GDPR would have taken Equifax to the cleaners. Consider in this context that the Equifax breach is estimated to have affected between 400,000 and 4 million EU citizens.\n3. Director\u2019s personal liability\nThe matter in which personal liability is arranged varies from country to country. The UK, Italy, and others have chosen to make directors liable. The global law firm, Norton Rose Fulbright point out that Under German law, directors can be held accountable for breach of their duties, which include a responsibility to ensure that the IT infrastructure of a company is sufficiently protected in order to ensure the security of data and the avoidance of cyber risks.\n4. Reputational risk through disclosure and investigation\nIt isn\u2019t just breaches, even simple requirements as Article 17 Right to Erasure, more commonly known as the \u2018right to be forgotten\u2019, can trip up organizations. How confident are you that your company can identify and erase all traces of an EU citizen when asked to do so?\nIn this respect I would also advise boards to consider another less discussed aspect of GDPR when evaluating their potential exposure; the demeaner of the leaders of the National Data Protection Authorities. Each EU country has appointed an executive to lead their GDPR enforcement. Many of these appointees have, during their career, developed a strong sensitivity to politics. Several have a long track-record in government. We can safely assume that they will react visibly and forcefully to breaches that offend the public.\nThe renowned GDPR expert, Andr\u00e9 Biesheuvel, has been involved in GDPR from day one and is a Principal at GDPR experts Duthler Associates. He states, \u2018many organizations have not recognized the essential paradigm change in GDPR compared to other regulations. They have fallen into the trap of relying on auditors and lawyers to arrange compliance rather than address the true threat, which is financial and legal exposure.\u2019\nThe board should also consider unintended cumulative effects of separate regulations. Other regulatory directives can compound the exposure to GDPR for affected organizations. A great example is the UK\u2019s Open Banking regulations which came into effect on January 13th of this year. Open Banking requires the UK\u2019s largest current account providers to open their data via a set of secure application programming interfaces (APIs). The Brightalk website has explained that Open Banking will force banks to shift from being one-stop-shops for financial services to open platforms where consumers can start to embrace a more modular approach to banking by giving verified third-parties direct access to this data.\nThe fact that Open Banking is frequently happening on an infrastructure of dubious legacy should alarm the leaders of those account providers given the imminent activation of GDPR. Indeed, The Financial Times warned about this as far back as 2015.\nMark de Jonge, Senior Partner at Roland Berger, the leading global consultancy of German heritage and European origin, explains, \u201cfor executives, the financial and commercial exposure arising from GDPR is much more onerous than the compliance requirement itself. Financial institutions are among the most likely organizations to suffer, owing to the extent of personal data they accumulate, their reliance on legacy technology to store and process it, the sensitivity of such data and its potential value.\u201d\nSo, what should you do?\nLook beyond compliance, to understand and mitigate your potential financial and legal exposure!\nThe law firm DLA Piper is clear, \u201cGDPR is not a legal and compliance challenge \u2013 it is much broader than that, requiring organisations to completely transform\u201d\nAny business leader who wants to sleep at night after May 25th, 2018, will need to move from a defensive to an offensive posture on GDPR. Look beyond compliance, to the potential financial and legal exposure that accompanies this new breed of regulation and take steps to protect and mitigate that exposure before the rude awakening.