No matter what size organization, a fine of 4% of your total revenue or €20 million, whichever is higher, will hurt.

That’s the headline-grabbing stick being used by regulators to ‘encourage’ European Union General Data Protection Regulation (GDPR) readiness.

Granted, it’s the upper tier of penalties for non-compliance, but even the 2% or €10 million lower limit could put a big dent in profitability and even see some smaller organizations go out of business.

Do you hope for the best? Or prepare for the worst?

Given the choice, do you hope you don’t get breached or found out? Or do you take necessary steps to protect yourself and the privacy of customers, employees, and others you may hold personal data on? That’s the question being asked by many as they contemplate what or how much to do leading up to the May 25, 2018, enforcement deadline. Gartner believes less than 50% of organizations will be fully compliant by this time. And according to Osterman research, only 41% of organizations as of December 2017 feel they are ready to comply with the requirements of the GDPR.  That leaves a massive number facing a significant risk of fines. 

Full compliance is perhaps an unknown quantity right now, but there are critical people, process, and technology changes that can certainly reduce the risk of breach and subsequent potential fines.

Will the regulators really issue fines?

Do you want to be the one to find out? Technology can help simplify the road to compliance but will need investment. Many will be asking, “what’s the cost of getting ready versus the potential fine?” It’s a legitimate question. But that’s like only taking third-party insurance on your car hoping you’ll never have an accident. It’s a false economy and you’ll end up paying for it in the long run.

There are ways to limit the “one-off” impact of technology purchases, like adopting cloud services. Now very much mainstream, you can adopt cloud-based services using operational cash versus needing the capital upfront. They benefit in other ways too, being generally faster to get up and running and keep up-to-date without needing your involvement.

There is also another layer of problems for an organization that violates GDPR, non-financial penalties. Authorities can impose restrictions, put an end to certain processes, implement remediation programs, and then require audits going forward. Investigation alone can also put a strain on your business by creating doubt in the minds of your customers, employees, and stockholders.

Prioritizing areas most at risk can help with where to start.

This includes email – storing a huge amount of personal data while also being the top route for attackers into your organization. Effective email cyber resilience, including advanced security, robust data archives and backups and a business continuity plan, can go a long way to getting GDPR ready.

The right security can help prevent a successful attack, stop personal data leaks and encrypt information at rest and in transit. An integrated archive and backup means faster access to information to support subject access, data portability and right to be forgotten requests. Having a Plan B for email means all your safeguards are maintained even if your primary mail systems go down.

You may also like:

What You Need to Know about GDPR

Breaking Down GDPR: What it means for yo…

Breaking Down GDPR: What it means for your business GDPR, t… Read More >

Margot Carmichael Lester

by Margot Carmichael Lester

Mimecast Contributing Writer

Posted Feb 13, 2018

Your Trusted Partner for GDPR Compliance

Making a commitment to GDPR Compliance s…

Making a commitment to GDPR Compliance so your organization … Read More >

Dan Sloshberg

by Dan Sloshberg

Product Marketing Director

Posted Feb 08, 2018

Ready, Set, Comply. Are Australian Companies Ready for the Notifiable …

NDB kicks off next week and more than ha…

NDB kicks off next week and more than half of organizations … Read More >

Garrett O'Hara

by Garrett O'Hara

Principal Technical Consultant

Posted Feb 08, 2018