GDPR (General Data Protection Regulation) is an acronym that you may have noticed being talked about around the internet lately. Like with many proposed rules and regulations, the GDPR is setting a new standard for how businesses can operate and utilize customer data in the European Union. The law was proposed as a replacement for the 22-year old EU Data Protection Directive. The implications and consequences of violating the now-enacted GDPR reach far and wide, and many companies in this day and age have not even begun to prepare for it.
The new law regulates how data from EU citizens is collected, stored, transferred and used in business. It also opens up a variety of new questions. For instance, if a business has no interaction with EU citizens, then why should they care about compliance? The law is meant to push companies into being more transparent and accountable with the information they collect. So even if a business is not operating within the EU market, they can still use the GDPR as a guideline for compliance with best data security practices and regulations. While a number of organizations are choosing to do nothing and simply pay the EU fines, many others have begun preparing themselves for the future compliance that is needed for it.
Sounds scary, right? So how should your organization prepare?
With the GDPR regulations now enacted in the EU, organizations must develop a plan of compliance to avoid violations. To illustrate the potential consequences, organizations in violation of the new law are looking at the looming threat of massive penalties that could equal up to 4% of annual global revenue, or a huge fine of about 20,000,000 Euros (Almost $23,000,000 in USD).
Sure, some of the larger corporations out there will have no problem paying the fines, and thus are choosing to ignore compliance. But for the smaller to mid-market sized companies, 4% of annual global revenue is a huge blow to your bottom line. You do not want to end up in the crosshairs of the Data Protection Authorities (DPA) in the EU. It is very important for smaller companies to do everything they can to protect the privacy of their customers in the European market.
A Framework for Privacy and Compliance
A good approach to this problem is to create a compliance-based framework that IT and Security professionals can refer to when they work on implementing privacy into their development cycles. It is important for these companies to classify and protect all personal data of their user base. You should have an established plan and procedures to help identify any gaps in protection that your company may be facing, and a contingency plan for addressing these underlying issues. Without effective security controls, your company may be leaving your user’s personal information exposed, making it much easier for malicious actors to acquire personal data on your users. Every compliance-based framework should have a way to monitor, detect, respond to and report any violations in policy and outside threats.
Developers and Technology executives should focus on embedding privacy-by-design into their development cycles. By putting an early focus on the security of your user’s personal information, it makes it easier to face and address any future privacy and policy violations. With the rapid pace and evolution of technology, respect for user privacy should be at the heart of every company’s strategy. Breaches in data are becoming the new norm for a lot of companies, and the bad PR surrounding these breaches is a serious reputational blow to the brands who are affected. In the past 2 years, 64% of companies polled said they suffered a data breach at least once in the last 2 years, many of which included personal data. When the Equifax breach occurred, over 145 million Americans had their personal data compromised. Another incident was the WannaCry Ransomware attack, which affected over 200,000 computers across 150 countries.
Facing the Risk in Healthcare and Finance
The two main sectors most at risk of personal data breaches are the financial and healthcare industries. In the past 2 years, 35% of financial institutions have reported data breaches, whereas healthcare, manufacturing and utilities come in at a distant second with a 19% data breach rate. These personal data breach rates are alarmingly high, and illustrates just how dire the need to protect user privacy around the globe is.
Any efforts to comply with the new GDPR law will ultimately be fruitless without serious buy-in from the executives and board. When polled, IT decision makers reported a very low rate of only 26% of companies with a highly visible executive management and board of directors showing concern for putting a focus on the protection of user data. Without executives getting involved in the process, any attempts to meet GDPR compliance may be hindered by a lack of communication about privacy and data regulations, which will ultimately lead to gaps in protection.
For larger companies, up to 39% of businesses believe that they are prepared to pay any potential fines that violating the GDPR may invoke. On the other hand, instead of seeking to comply with the GDPR, 24% of polled firms have stated their intention to buy cybersecurity insurance in the event of a breach, ultimately transferring the risk to an insurance plan. Cyber insurance can certainly help soften the blow of massive EU fines, but companies also need to make sure their cyber insurance plans are willing to cover the cost of violating the GDPR, as many of them do not.
Are you willing and prepared to face the consequences of non-compliance?
However, companies who are choosing to simply pay off the fines or use cyber insurance to insulate against them should ask themselves a very important question. If our company is unable to protect the data of our users, will they continue to want to associate with us or allow us access to their sensitive personal information? There is a huge benefit in choosing to comply with the GDPR, even though the up-front costs may be higher than simply paying a fine. Many companies have risen and fallen over the years based on poorly made decisions that didn’t sit well with their customers over the long-term.
Today’s juggernaut companies could end up becoming yesterday’s cautionary tale if they choose to willingly ignore this ever-growing problem of data breaches against their customer’s private information. Don’t let your company become a cautionary tale. When customers can trust your company, you will retain more business and pave the way for a trustworthy reputation in the future. Compliance with the GDPR is good business, so make sure that you are prepared!
Are you a cybersecurity professional looking for work? ATR International has been specializing in IT talent placement for over 30 years. Send us your resume!
AI and the Future of Recruiting