Coming, ready or not: The cost of GDPR non-compliance
Coming, ready or not: The cost of GDPR non-compliance

Fail to comply and you could be forced to close. That's the message being sent to organisations of all sizes that handle data of EU residents, ahead of the biggest changes to data privacy legislation in 20 years – the General Data Protection Regulation (GDPR).

According to recent research commissioned by Sophos, these four letters could potentially spell the end of almost one in five European businesses. If regulators come out swinging and impose maximum fines for data breaches from 25 May 2018, the cost could be as much as €20 million or four percent of your company's annual global turnover. That far exceeds the £500,000 maximum available to Britain's Information Commissioner's Office (ICO) today.

The research found that over a third of the businesses surveyed say fines imposed under the GDPR could result in redundancies, and over half of British businesses are yet to comprehend the full financial implications of non-compliance. Yet, even with a sizable heads-up that the legislation is coming, only six percent of UK businesses, 25 per cent of Benelux and 30 per cent of French businesses consider it a priority for their organisation. To avoid becoming a cautionary tale, now is the time to act.

Why you need to care

The GDPR has two main aims: to give EU residents more control over how their personal data is used and to provide businesses with clearer and more consistent requirements for data collection, storage and processing, doing away with the requirement to stay on top of the data protection regulations for each of the 28 member states. Arguably the biggest change brought about by the GDPR is its application across all companies that handle personal data for anyone residing in the EU. Following its implementation, standards will no longer be determined by individual countries and, despite 26 per cent of British businesses reporting confusion due to Brexit, UK businesses will need to comply in full.

At several hundred pages long, there's no doubt that the GDPR is extensive. Unless you're among the 19 percent of French businesses, 18 percent of Benelux businesses and eight per cent of British businesses who claim to be compliant with GDPR already, preparation will be a lengthy process. It's not just a matter of taking stock and raising awareness within your organisation, but also setting new privacy policies and practices in place. Despite this, only 42 percent of respondents in Western Europe have created or assigned a Data Protection Officer role within their organisation, and only half have measures in place to ensure individuals have given consent for data collection. Similarly, just 44 percent have procedures in place to delete personal data in the case of a “right to be forgotten” request or objection to data collection, and less than half are able to report a data breach within the required 72 hours of its discovery.

We are yet to see how GDPR penalties will be applied exactly. However, it is fair to assume that it will be in the EU's best interest to act with decisiveness and consistency in the early stages. All indications are that regulators will look to make an example of businesses who fail to comply. That's not just major players – if you breach the regulations, you're likely to pay the price.

How to prepare

The good news is that 65 percent of organisations say they already have a data security policy in place. Also, there is still time to avoid your organisation facing the risk of penalties.  

In 70 percent of businesses, responsibility for GDPR compliance lies with the IT or IT security teams. However, to drive compliance, key decision makers need to get on board. With data breaches occurring across Europe on an almost daily basis, there is a real need to place security at the heart of all your business operations. By investing in data security today, you will not only be able to sleep easy come 25 May next year, but you will also reduce the risk of brand and reputational damage. Enable your organisation to identify where sensitive data is located, break down silos in data storage and access, reduce duplication and equip your business with valuable customer insights to drive competitive advantage.

Reducing the risk doesn't need to be complicated either. Stopping the most prominent causes of data breaches starts with making sure the basics are in place. This includes keeping all operating systems and software up to date, implementing encryption for sensitive data and educating all employees about the risk of phishing and other social engineering attacks.

Ready or not, the GDPR is coming. There is little doubt of it being one of the most comprehensive data privacy regulations anywhere in the world today, and it provides businesses with a very strong set of best practices regarding general data protection and governance. It is created for a world of online services and cloud technology, and it will ultimately reduce compliance costs, complexity, risks and uncertainty for businesses in the EU and beyond.

The price of non-compliance is very real and too high to ignore, so don't set yourself up to claim the title of first prosecuted – get prepared instead and the time is now. 

Contriubted by Petter Nordwall, director of product management at Sophos

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.