GDPR Compliance: The Legal & Financial Consequences Of Technology Failure – A Guide For Security Professionals (Part 1 of 5)

The General Data Protection Regulation will change the way you do business

The EU General Data Protection Regulation (GDPR) comes into force on May 25, 2018. Every organization — regardless of its location — doing business with EU customers will need to make changes to its technology, processes, and people to comply with the new rules.

This 5-part blog series helps security and privacy professionals understand the GDPR compliance requirements they need to start tackling with immediate effect, and provides an independent perspective on the solutions available to help bridge the technology gap.

GDPR Compliance: Is Your PII Data at Risk?
GDPR Compliance: Is Your PII Data at Risk?

The threat landscape cannot be ignored

Personally Identifying Information (PII) has become an increasingly important topic in cybersecurity as the focus of cybercriminals has moved from the theft of financial data to personal data. According to the Breach Level Index[1] over 9 billion data records have been stolen since 2013 – an astonishing 5.2 million per day on average. Your organization will almost certainly be the victim of a targeted cyber-attack at some point and there is a greater than 1 in 10 chance that this will lead to serious data loss and/or reputational damage.[2]

Why you can‘t afford to ignore GDPR compliance

Fines of £17.5m or 4% of global turnover, whichever is higher The requirement to notify a data breach within 72 hours
Key principles such as the right to be forgotten and information requests The need to establish a clear legal basis for holding and processing personal data

What are the legal consequences of technology failure for organizations?

Organizations that fail to translate the requirements of the GDPR into their technology run the risk of failure and non-compliance, leading to financial, reputational and legal damage.

The key legal consequences are:

1.      Regulatory investigations and inquiries, during which the organization can be required to disclose its records, risk assessments, technology designs, audit reports and other assessments and incident logs.

2.      Regulatory enforcement orders, which can extend to stopping the use of personal data by an organization, and the redesign of business processes and the technology environment

3.      Regulatory fines, subject to a cap of 4% of annual turnover*

4.      Exercise and enforcement of individuals’ rights

5.      Compensation claims by individuals who feel their rights have been impacted

*Illustrative example: A UK bank suffered a significant data breach of personal data during 2016, and if this had been subject to the financial penalties of the GDPR, could have seen a fine approaching £2 billion, in addition to other indirect impacts including reputational damage.

Did you know?

According to research conducted by Osterman Research, Inc.[3] almost 3 out of 4 enterprise IT decision makers don’t feel they meet the GDPR compliance requirements. Three quarters of Information Security Officers believe that the expectations of GDPR will greatly impact IT purchases and security provisioning.

 

 

 

 

 

 

 

 

 

activereach helps organizations overcome the hurdles of GDPR compliance and works with technology vendors providing best-in-class GDPR solutions – please contact our Pre Sales Consultants on 0845 625 9025 for further details.

Read Part 2: Taking a Risk-based Approach to the Technological Measures Required to Protect Data 

References

[1] https://breachlevelindex.com/

[2] https://quocirca.com/content/trouble-your-door-targeted-cyber-attacks-uk-and-europe

[3] Osterman Research, Inc., 2017, White Paper: GDPR Compliance and Its Impact on Security and Data Protection Programs