Implementing the requirements of the EU General Data Protection Regulation (GDPR) seems expensive, but have you considered the ways in which a data breach will cost your organisation after the Regulation takes effect on 25 May 2018?
The potential for catastrophic fines has been a big talking point of the GDPR, but it’s just the beginning of potential repercussions for falling foul of the Regulation.
The GDPR gives supervisory authorities the power to issue fines of up to €20 million or 4% of the breached organisation’s annual global turnover, whichever is greater, but it will take an egregious breach or multiple violations for any fine to come close to this. Nonetheless, fines are still a concern, and with more requirements to meet than current data protection laws, there are more ways in which organisations could be disciplined.
Supervisory authorities’ powers aren’t limited to financial penalties, as our next point shows.
2. Enforcement action
Whether an organisation is fined or not, the supervisory authority will probably investigate its compliance practices and highlight any areas that fail to meet the GDPR’s requirements. The organisation will then be required to address these issues before a follow-up review, which will cost time and money, and potentially affect business operations.
3. Containing and responding to a breach
According to the 2017 Ponemon Cost of Data Breach Study, the average cost of each lost or stolen record is $141 (about €115), and the total cost of a security breach is $3.62 million (about €3 million).
These figures account for everything an organisation does to respond to a breach, such as containing, reporting and investigating the incident, and setting up helplines and web pages for victims.
Ponemon also links data breaches to a less quantifiable way in which breaches can cost organisations money.
4. Reputational damage
Ponemon Institute’s report found that the cost of a data breach is affected by the number of breached records and the loss of customers afterwards (‘abnormal churn’). Other than improving data protection practices generally, organisations can’t do anything to prevent the size of a breach, but they can mitigate abnormal churn by responding to the incident responsibility and managing their reputation.
Many organisations have been tempted to downplay the scale of a breach or cover it up altogether, but this always ends up backfiring, with the public angrier over the response than the breach itself.
People are increasingly aware that, in most cases, data breaches are an inevitability rather than a sign of incompetence, so it’s always best to tackle the incident head-on. Organisations can reassure their customers that they take data protection seriously by following data breach notification requirements, business continuity procedures and giving victims free identity protection services.
Find out more about the GDPR
The GDPR takes effect on 25 May 2018, and any organisation that falls under its scope will benefit from staff who are aware of its requirements. To get an advantage in your organisation, you should consider enrolling on one of our GDPR training courses. Depending on your level of expertise, you might prefer our Foundation or Practitioner course.
These courses are being held in countries across Europe between March and June. Alternatively, you can study online or via our distance learning format.