It’s been a little under two months since GDPR regulations came into effect. Despite the anticipated doom and gloom, as with Y2K, no planes fell out of the sky at the stroke of midnight on 25th May 2018.
But that doesn’t mean that everything is coming up roses, either.
It appears that becoming compliant with guidelines of the GDPR has proven to be quite the costly endeavor for many organizations. In fact, in a recent survey of 300 C-level executives, 1 in 10 believe that efforts to accommodate the various steps needed to meet security and privacy requirements will cost individual firms well over $1 million USD. Another study by The International Association of Privacy Professionals estimates that – combined – companies in the UK may average up to $1.1 billion USD (€941,901,400.00), while US companies could spend about $7.8 billion USD to ensure compliance.
In some cases, the cost of compliance is well worth the effort, as fines for non-compliance can cost up to 4% of total global revenue. While 4% may not sound like much, for big, international companies those fines could easily reach into the billions.
In spite of these costs, some organizations are balking at compliance, believing – or hoping – that these expenses would be less costly than a breach under GDPR regulations. But is that the case? One study shows that 78% of people would avoid a company post-breach, causing potential revenue losses far exceeding the money they would have spent on compliance efforts. Those efforts, by the way, may ultimately result in a significant improvement in the organization’s network and data security.
In addition to the obvious costs for upgrades and those for non-compliance, there may be other possible unintended or unforeseen costs of the GDPR as well.
For instance, there may be blind spots that could present security – and added cost – issues you may not have considered. Say the third party hosting your data – to keep it secure and maintain compliance under the GDPR – is breached. Under GDPR, you are equally as liable as the third-party vendor if those vendors lose your data, bringing vendor management issues to the forefront.
Additionally, data requests should be taken into account. Under current provisions of the GDPR, organizations are required to deliver protected data to any EU citizen who submits a Subject Access Request (SAR) within a month of the request. Just as important is the requirement that organizations be able to honor a “forget me” within 30 days of the request from any tracked individual. That means an individual’s data must be removed from ALL corporate records, to include audits, transaction logs and backups. To boot, the GDPR prevents businesses from charging fees for processing of routine requests, potentially adding time and, therefore, financial burdens. And don’t forget about possible lawsuits.
More obvious, from a cybersecurity standpoint, at least, is the potential for fraud and criminal activity from a variety of sources.
Almost everyone has seen them – emails in your inbox urging users to ‘click here’ to view the new policies as they switch to GDPR compliance. Granted, many of these are legitimate emails, coming from organizations that have worked tirelessly to secure client data and ensure compliance. For the most part, many users are simply ignoring and deleting these emails, sharply reducing the number of prospects or leads; disconcerting from a marketing perspective. This is encouraging, though, from a security perspective, as there are tons of fraudulent emails – typically notifications of non-compliance to create a sense of urgency, increasing the click-rate.
Since the value of data privacy has grown, personally identifiable information (PII) has become an increasingly valuable commodity, and is likely to be used for financial gain in criminal marketplaces to commit fraud, or to extort the company responsible for securing it. With the growing amount of data placed online by individuals, and held online by trusted organizations, data collection companies are increasingly being targeted.
There are some bright spots though.
Overall, it appears that security will be enhanced because of all the additional regulations and safeguards. And it’s not too late to comply with GDPR policies.
And there is more good news from a cost stand-point: the cyber insurance market has exploded in recent years, with annual gross premiums expected to reach $7.5 billion by 2020. Companies mandated to comply, and those showing proof of compliance with these stringent regulations will likely see a significant reduction in annual cyber insurance costs. Another piece of good news is that if your organization was set up for PCI compliance, many of those efforts will help for the GDPR as well, so take heart.