If GDPR were to be implemented today, firms could face fines of $323bn

Chief privacy officers should be recruited and governance structures put in place, advises Capgemini Consulting

If the new EU General Data Protection Regulations (GDPR) were to be implemented today, the global consumer products industry could face penalties of up to $323bn (£244bn), according to research from Capgemini Consulting.

The consultancy firm interviewed 300 managerial-level executives in the consumer space with combined revenues of over $756bn to compile its latest report, Consumer Insights: Finding and Guarding the Treasure Trove.

The research found that consumer product companies relied on data on consumers to enhance the effectiveness of marketing campaigns, help to roll out new products and refine existing ones, and offer cost savings and efficiencies in supply-chain operations.

However, the way they are collecting this data could cause huge problems in the long run. Capgemini found that an overwhelming 90 per cent of companies have faced a data breach and nearly one in two companies did not comply with industry regulations.

With the risk of fines of up to four per cent of annual turnover for data breaches, Capgemini said if GDPR were to be implemented today, the global consumer products industry could face penalties of up to $323bn in a "worst-case scenario".

But the consultancy firm emphasised that getting consumer insight through data is not an impossible task, and that it merely required a structured approach.

"Consumer product companies need to fix their governance structures for insights, develop the right capabilities and establish the role of a chief privacy officer. The benefits of consumer insights are there for everyone to see, but sustaining value over the long term will require consumer products companies to focus on privacy issues as a matter of urgency," it said.

The new regulations will technically not apply to firms operating in the UK because of Brexit. However, the Information Commissioner's Office has made clear that new legislation should be drawn up that would mirror the GDPR.

"If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the single market on equal terms, we would have to prove 'adequacy' - in other words, UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018."