Subscribe to Cyber Resilience Insights
Get the latest cybersecurity news, analysis and tips delivered to your inbox every week.
The European Union General Data Protection Regulation (GDPR) will be enforced from May 25, 2018. From this date, supervisory authorities have the power to ensure that principles of the GDPR are upheld and personal data of EU residents is protected. Failure to do so could result in significant fines. There are two tiers of fines – 2% of global revenue or €10 million, whichever is greater, or 4% or €20 million.
Guidance for authorities reinforces that administrative fines should be in line with the “nature, gravity and consequences” of a breach, and any corrective measure must be “effective, proportionate and dissuasive.” More severe penalties will be applied to more significant breaches. But it’s not just the fines organizations should be wary of.
GDPR is designed to give EU residents more control over how their personal data is used and will have a positive impact on individuals’ privacy rights. This is especially important considering the opportunities and risks of the internet and digital economy. It should also help make data protection requirements and law clearer for companies and government agencies who control or process personal data. While this creates a burden for many organizations, it will be a requirement for doing business. Those that don’t take data protection seriously will lose out in more ways than one.
The fallout of a breach will go way beyond the fine imposed. That alone has the potential to hurt even the largest organizations. But what are the other consequences?
Reputation damage is an obvious one. Individuals are being urged to protect their personal data and identities like never before. If they can’t trust you, they will take their business elsewhere. This is reinforced by research showing 84% of consumers would use a brand’s service less or stop using it following a data breach. Under GDPR regulations, you may be required to report a breach to authorities within 72 hours and customers in a timely fashion – depending on the severity. So there’s no “flying under the radar.”
Breaches can often impact the ability to operate as normal – short-term and even longer depending on severity. For example, what happens if you must shut down your email system, CRM or other critical apps? How do you communicate with customers or suppliers? What impact does this have on the ability to take orders, keep stock flowing, maintain employee productivity and generally keep the business moving?
Any negative impact on sales ultimately affects profitability and stock prices for publicly traded organizations. A loss of shareholder support can have a major impact on a company’s prospects, including the ability to raise capital – even for private companies.
Other areas of fallout and cost could include additional security (e.g. pen testers, consultants, new vendors) and litigation. The ultimate cost of a breach is unknown. Certainly, the cost can be reduced if the breach is responded to properly. But demonstrating accountability and showing the steps taken to prevent a breach in the first place will put you in a much stronger position – not only in terms of potential fines but from a reputation standpoint too.
As an email cyber resilience vendor, Mimecast is committed to GDPR compliance across our services, with the corresponding contractual assurances. Customers are using Mimecast services to help mitigate the risks inherent in email systems – a key step to become GDPR ready. You can also learn more by reading our solution brief.
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly