Counting down to GDPR: Will your business make it?

Major changes to data and privacy regulation are on their way, but is your business ready? The General Data Protection Regulation, or GDPR, is designed to harmonise data protection standards across 28 EU member states.

In addition, with less than a year until the new laws take effect on 25 May 2018, now is the time to pay attention.

>See also: Practical steps to deal with the GDPR

If you’re not yet sure what the new legislation will demand of you – or what the consequences of non-compliance will be – then the good news is you’re not alone. In a recent Sophos survey of IT decision-makers, more than half of UK businesses admitted they’re still unaware when it comes to the financial implications of non-compliance. However, if you are in that camp you’ll want to school up quickly, or you may end up paying a hefty price.

The cost of non-compliance

Data breaches are already the stuff of PR nightmares, but post May 2018 the consequences of a breach could stretch beyond reputational damage and loss of revenue alone. If you’re found to be non-compliant with GDPR at the time of a breach, you could face fines of up to €20 million or 4 per cent of your company’s annual revenue, whichever is greater.

That’s a major blow to the coffers of any organisation, but for almost a fifth of our survey respondents, it would see their business close entirely. When it comes to businesses with less than 50 employees, that figure rises to more than half. And nearly 40 per cent of all IT decision-makers surveyed say redundancies would be unavoidable.

Although the chances of a small company getting a €20 million fine is going to be low, there is a part of the GDPR law that talks about fines being appropriate and dissuasive.

>See also: GDPR: What do you need to know?

Meaning that the fine is going to hurt any business – as that is why it is being enforced – but not necessarily aim to close them. Fines are still a part of the GDPR where we will ‘wait and see’, however it is widely accepted that there are at least factors that will help determine the size of the fine – How negligent you are, and how much data did you lose.

Obviously, lawyers and courts will prevail in the event of any breach, and the chances that a company goes bankrupt after a breach still exists, but potentially from other factors than just the fine, legal costs, loss of reputation, etc.

However, despite this clear potential for redundancies and business closures, 55% of businesses still say they’re not confident they’ll be able to comply with GDPR by the looming deadline, and only 6% of UK businesses have made it a priority – versus 30% of businesses in France and 25 in Benelux. This may be due to some confusion over Brexit, but rest assured, if you’re a UK business or handling EU citizen data, GDPR will still apply.

The figures don’t make for happy reading, but it’s not all doom and gloom. The survey also revealed 65 per cent of organisations do have a data security policy in place.

And 98% of organisations either have, or are currently implementing, a formal plan for employees outlining data security policy along with guidelines for handling personal data.

>See also: GDPR: What do you need to know?

This a good sign organisations are making headway in promoting data security, but we can’t rest on our laurels. At the end of the day, this is one of the goals of what the EU is looking to achieve with the GDPR – companies taking data security, specifically personal data, seriously.

Getting prepared

With a host of new requirements for data processing, and even positions to be created and filled, getting GDPR-ready can be a lengthy process. While you may ignore the GDPR in favour of day-to-day priorities, taking steps to reduce the risk across your business right now will help set you on a path to overall compliance.

Reducing risk need not be complicated either. Simply concentrate on stopping the biggest causes of data breaches by making sure the basics are in place. Those basics include: keeping all operating systems and software up to date, implementing encryption for sensitive data, and educating all employees about the risk of phishing and other social engineering attacks. In addition, implement an effective anti-virus/malware solution to reduce the risk of a breach through hacking and malware.

As stated, some businesses in Western Europe are already taking steps to get ready for GDPR, and 42 per cent are confident they will comply by deadline.

>See also: What are US companies’ view on GDPR?

However: only 42% have created a data protection officer role; only 44% have procedures in place to delete personal data in the event of a “right to be forgotten” request or objection to data processing; and Less than half are able to report a data breach within 72 hours of its discovery – a key requirement of the laws.

The upside of regulation

Like any new legislation, GDPR does come with costs and will take time to bed in. However, in this world where everything plays out online, the benefits of a single, harmonised approach to data security are many.

When organisations raise the concern of what being GDPR compliant will cost them, think about the cost of non-compliance. The fines are to ensure that companies sit up and pay attention.

Being GDPR compliant not only saves you from GDPR fines, but it puts your organisation into a better security posture. And that’s good for everyone, businesses and consumers alike.

>See also: General Data Protection Regulation: the BC/DR impact 

Without the legal requirement to act, it’s easy to discount the need to consolidate data and store it in a way that’s easy to locate, anonymise, report on and understand.

However, by investing in data security you can reduce the risk of brand and reputational damage, enable your organisation to identify where sensitive data is located, reduce duplication, and equip your business with valuable consumer insights to drive competitive advantage.

Whichever way you choose to approach GDPR, the legislation is fast approaching. And by taking the time to prepare today, you’ll reap the benefits going forward.


Sourced by Anthony Merry, director product management data protection at Sophos


The UK’s largest conference for tech leadershipTechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics