Business not prepared for GDPR, risking legal action and heavy financial penalties: PwC Comment

Published at 12:28 PM on 16 December 2015

Commenting on the EU's adoption of the General Data Protection Regulation, Stewart Room, PwC partner and head of PwC Legal's data privacy and protection practice, warned that business is not prepared for the complex legal changes to compliance and risks heavy financial penalties and a wave of litigation. This landmark piece of legislation is important because of what it seeks to do by assisting people to gain more control over their personal data, which is also a vital asset of the global economy.

"The scale and breadth of the changes to privacy rules will deliver unprecedented challenges for business and every entity that holds or uses European personal data both inside and outside the EU. Most companies will be shocked at the scale of the new rules and the work that needs to be done before the laws take effect in two years - it is not much time for the magnitude of internal changes that will be required. Compliance costs will also be high, in some cases tens of millions of Pounds, for large entities.

"Major retailers, the banking sector, and any entity that is aiming their marketing and promotion to consumers are especially at risk, as is any entity that uses data around children. Technology companies will also be in the firing line.

"With financial penalties of up to 4% of global annual turnover for non-compliance, some of our largest multinationals as well as public entities could face penalties worth many millions in Pounds or Euros, as organisations are forced to publicly disclose any security and confidentiality breaches to the regulators and the people affected. The new laws will go much further than reputational damage.

"New enhanced rights for people over their personal data may also unleash a wave of legal action and compensation claims against entities that will face new rights including the Right to be Forgotten - so that personal data is deleted and destroyed by organisations.

"Obtaining consent to use personal data is also about to become a lot harder for companies; as well as new requirements to assess the risks to personal data and privacy.

"Business will also face greater scrutiny from the European data protection regulators as new powers enable them to shape how personal data are used."


Notes to editor: Stewart Room is available for interview.

Media Contact: Lisa Macnamara Tel: 0784 333 0907 or Email: [email protected]


About PwC

At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 208,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at

PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see for further details. © 2016 PwC. All rights reserved

« London Market underwriting confidence down again – PwC’s London Market 2016 outlook | Homepage | Scottish draft budget 2016/17 - PwC in Scotland comments on SRIT and future tax reform »

  • Contact us
  • +44 (0) 20 7213 1768

Specific and out of hours contacts