FTSE 100 companies could face fines of up to £5 billion a year if they don’t comply with the EU General Data Protection Regulation (GDPR), according to analysis by global management consultancy Oliver Wyman. The EU regulation, which will overhaul the way companies acquire, retain and use personal data, will come into effect on 25th May 2018; just 12 months away.

GDPR will allow EU consumers to ask why personal data is collected, how it is being used and how long it is retained for and to request that companies erase and stop processing their personal data, with at least ninety million gigabytes of data being taken back, estimates Oliver Wyman. It will also allow companies to ‘poach’ data from rivals, if they can obtain customers’ permission.

Most businesses are not fully prepared to deliver this, or to adapt to the business consequences of losing their data bank. For serious breaches, firms will have to pay fines of up to four percent of their global annual turnover, or €20 million, whichever is the greater.

Had GDPR been in place for the past five years, the consultancy’s analysis shows that FTSE 100 companies could owe up to £25 billion in fines to EU regulators.

Chris McMillan, a Partner in the data and technology arm of Oliver Wyman, said: “In the tug-of-war between companies and their customers over personal data, GDPR falls firmly in the consumer’s favour. With fines of up to four percent of global turnover, or €20 million on the table, non-compliance is simply not an option.”

Companies must prioritise data security with strong engagement from the top down. Experienced Chief Data Protection Offices and Data Engineers, already in short supply, will be in even shorter supply this time next year.

“As well as meeting the basic requirements, and building a defensive moat around their data, savvy companies will use GDPR to their own advantage by ‘poaching’ data from rivals and even players from outside their industry. With consumer permission, there is nothing to stop a financial services company, from requesting data from a technology company or vice versa. Companies that don’t use GDPR to improve their customer value proposition will be left behind, and are likely to have their own data pillaged by their competitors,” added McMillan.

All UK companies will be subject to GDPR until at least March 2019. Post-Brexit, companies dealing with EU citizens will still be subject to GDPR.

About the research

Oliver Wyman identified FTSE 100 companies, with significant customer interactions, that have incurred a known data breach in the past five years. Using 2015 financial reporting figures, Oliver Wyman applied the fine (four percent of annual global turnover) to reach the total of £25 billion, or £5 billion per year.

About Oliver Wyman

Oliver Wyman is a global leader in management consulting. With offices in 50+ cities across nearly 30 countries, Oliver Wyman combines deep industry knowledge with specialized expertise in strategy, operations, risk management, and organization transformation. The firm has more than 4,500 professionals around the world who help clients optimize their business, improve their operations and risk profile, and accelerate their organizational performance to seize the most attractive opportunities. Oliver Wyman is a wholly owned subsidiary of Marsh & McLennan Companies [NYSE:MMC]. For more information, visit www.oliverwyman.com. Follow Oliver Wyman on Twitter @OliverWyman.