GDPR compliance has become a key goal for businesses around the globe. But those hoping to achieve GDPR compliance are missing the point entirely – and are probably vulnerable to large-scale data breaches as a result.
From 25 May 2018, GDPR comes into play. As the date draws nearer, businesses all over the world are becoming ever-more tense.
A wider pool of data will need to be safeguarded. There are going to be new restrictions on international data transfers. And – the point that most people are talking about – regulatory fines are going to increase.
Under the current Data Protection Act, regulatory fines are capped at £500,000. Failing to achieve GDPR compliance, however, could result in fines of €20m.
It’s an update that has firms of all shapes and sizes working hard to achieve GDPR compliance before the new law comes.
But GDPR isn’t a money making tool. The new fines – and, in fact, GDPR compliance for the sake of it – should not be a business’s primary concern.
What businesses should be focusing on is increasing resilience to minimise breaches.
Because, as a UK based telecommunications giant will tell you, if you suffer a breach that makes front page news then regulatory fines are the least of your worries.
The costs of the TalkTalk data breach
In October 2015, cyber criminals took advantage of technical weaknesses in TalkTalk’s systems, resulting in the compromise of 157,000 customers’ personal details.
The breach made headline news for over a week and, as we all know, regulators were particularly unhappy. After a lengthy investigation, the ICO slapped TalkTalk with a record fine of £400,000.
That’s still a long way off the maximum fine possible, despite, in the ICO’s words, “TalkTalk’s failure to implement the most basic cyber security measures.”
Meanwhile, worried customers left TalkTalk in their thousands – and you can’t imagine the firm’s customer acquisition team was doing so well at the time.
TalkTalk’s eventual financials revealed the true costs of the breach to be around £60m in 2016 alone. Of course, the financial ramifications will continue for years to come.
Escaping the regulatory fine would have saved the company £400,000.
Preventing the breach would have saved TalkTalk hundreds of millions.
GDPR compliance is simply a minimum requirement
There’s clearly an argument here that says complying with the new laws should reduce breaches anyway, and that the two go hand in hand. We’re not denying that.
Compliance is and always has been a valiant goal.
But working towards GDPR compliance simply to appease regulators is a questionable practice at best. With GDPR tightening the rules, there’s a real danger businesses will find false confidence in the fact they’re abiding by the law.
Preparing for the new laws should not be a box-ticking exercise. Complying is the minimum businesses must do.
Almost half of all UK businesses suffered some form of breach in the last 12 months – in spite of compliance regulations. Regardless of law, a company’s end goal should be seeking to prevent data breaches altogether.
How to dramatically decrease breaches
Whilst decreasing breaches is easier said than done, working to change employee behaviour is a good place to start.
A recent IBM report found as many as 95% of all cyber attacks involve some form of human error. Encouraging employees to act as a defence clearly has immense potential.
And it’s a potential that’s as yet untapped. A second CyberEdge report quite literally cited “low security awareness among employees” as the weakest link in businesses’ cyber defences – for the fourth year in a row.
New laws are never going to change employee behaviour. Proper cyber security training, education and engagement, on the other hand, just might.
Breaches will continue post-GDPR
Let’s not kid ourselves.
Even those who achieve GDPR compliance are going to suffer data breaches as time goes on.
Every new breach will attract the attention of regulators. And when they eventually come knocking, their questions aren’t going to revolve around compliance. Instead they’re going to ask the same two questions they always have.
“What did you do in an effort to prevent this?”
And, “What are you doing about it now?”
Increasingly stringent cyber security measures is the only acceptable answer.
If it’s an answer businesses are unable to give, then a conversation with regulators should be the least of their worries.