Take a Chance on Me? Not worth the risk when it comes to the GDPR

The cost of compliance is much less than the price of failure.

To most readers of my blog, this adage may sound obvious, with respect to the General Data Protection Regulation (Regulation 2016/679). Nonetheless, it’s advice isn’t universally observed.

Some months ago, I was talking to a director of a well-known European financial services company about the impact Regulation 2016/679 would have on the business. But I wasn’t fully prepared for his response. “We can afford to pay the fines,” he said.

Wow!

There then followed a couple of seconds of silence as I composed myself. Had I really heard this or had I imagined it? Was it boastful, perhaps intended to impress or simply a bold statement of fact?

I remarked this was interesting. But how could he put a price on reputation? And in any event, the Supervisory Authorities’ powers to slap a ‘STOP ORDER’ on processing personal data on a temporary or permanent basis under the GDPR could effectively kill his business, irrespective of any financial penalty that could be appealed through the courts.

He wasn’t the only one who’d calculated that under the previous Data Protection Directive 95/46/EC enforcement wasn’t rigorously pursued across all Member States in equal measure and in any event the fines tended to be low enough for organisations like his not to feel any difference. So why bother with compliance?

He clearly came from the school of thought where it was acceptable to pay a fine than to make organisational and technical changes that would help to protect personal data where this would incur more costs. It also didn’t help that reporting a personal data breach has been largely a voluntary matter.

Fast forward to today, and how times have changed.

The cost of compliance is much less than the price of failure. It’s probably worth reading that sentence again if you don’t want to believe this is in fact the case under the GDPR and the forthcoming Data Protection Act 2018.

The old assumptions are out of the window. Once known, all personal data breaches that cause harm or damage to customers, clients, supporters and employees or where the chance of this happening is high or very high risk must be reported to the Supervisory Authority within 72 hours and both the Data Controller and Data Processor are jointly and severally liable.

It’s time to re-boot our thinking about the cost of compliance as saving money. The old economic arguments don’t work.

Perhaps we’re living with a 20-year old legacy of seeing data protection as a tick box exercise? This is now replaced by one Regulation across all 28 EU Member States that’s risk-based, outcome-focused and puts the rights, freedoms and interests of Data Subjects at its core.

Art. 25, GDPR spells out what’s meant by data protection by design and by default. This isn’t a nice to have or some conceptual framework for the R&D Department. It’s a legal requirement.

How it’s complied with is up to each individual organisation to figure out, based on its risk appetite and what’s appropriate as organisational and technical measures given the nature of its business, its sector and the type of personal data processing it carries out.

The previous culture of complacency is probably responsible for why so many organisations have left it so late to start their compliance journey. With less than 200 working days to go before the GDPR is fully enforceable, there’s no room for any margin of error. But this is the first small step on what will be a very long journey.

Billy Joel summed it up perfectly when he sang: “I’ve gotta get it right the first time, that’s the main thing, oohh oohh, I can’t afford to let it pass.”

Accountability is now the watchword.

With the maximum threat of a financial penalty equivalent to 4% of global turnover of the preceding 12 months or €20m fine, whichever is greater, hanging over the head of so many executives like the Sword of Damocles, it’s no surprise to see a touch of panic out there.

The excellent 2017 Cost of Data Breach Study published in July 2017 by the Ponemon Institute LLC makes compelling reading for those searching for a business case – should they need one– to accelerate plans in time for full enforcement of the GDPR from the 25 May 2018.

The report made several findings based on research of 419 companies across 13 countries including US, Canada, UK, France, Germany, Japan, Brazil, South Africa, Middle East, UAE and the ASEAN Region.

The average internal cost of investigating and dealing with a personal data breach and the aftermath of losing customers but excluding any sanctions, fines or compensation claims is $141/€121/£108 per record.

And those companies surveyed were 28% more likely to suffer another personal data breach in the next 24 months. To put this into context, healthcare insurance group BUPA recently suffered a personal data breach in the UK in July 2017 where a rogue employee stole 547,000 records of policyholders including names, dates of birth, nationalities and insurance numbers that could be used in spear phishing and scam activities.

Based on the calculations of the Ponemon Institute, this would amount to an internal cost to BUPA of a whopping $77m/€66m/£59m. Multiply this by at least a factor of x5 to get to a figure that includes sanctions, fines and compensation.

So what lessons can be learned from this and other personal data breaches in the Ponemon Survey?

There’s evidence that when organisations put in place organisational and technical measures that preserve customer trust and loyalty in advance of a personal data breach, they’ll tend to have a lower level of lost business/customers.

Organisations that offer identity protection in the aftermath of a personal data breach are also more successful in reducing the churn rate of customers compared with those that don’t offer such support to victims.

It follows that the more personal data records lost, the higher the cost of the data breach.

So it’s good business sense to identify the types of personal data being processed, the risk that this presents and its relationship with sanctions and fines under the GDPR. It’s what we train senior execs to do at Henley Business School.

And it’s also sensible to have data minimisation and retention strategies in place so that there’s transparency internally around the processing of special personal data that represents very high risk. The organisation can then take steps to mitigate the risk of harm or damage that such processing can present to Data Subjects.

Other mitigation factors include having an incident response team on stand-by, extensive use of encryption of special personal data, employee awareness and training and extensive use of Data Loss Prevention (DLP) tools.

Conversely, aggravating factors include the over-use of disruptive technologies that can impede response times, access to cloud-based applications and data as well as the use of mobile devices (including BYOD and mobile apps) that cumulatively increase the complexity of dealing with IT security risks and personal data breaches.

According to the Ponemon Institute, cloud migration at the time of the personal data breach and mobile platforms also tend to increase the cost of the data breach remediation.

But perhaps what was very telling was that 47% of the organisations surveyed by the Ponemon Institute identified malicious or criminal attack as the root cause of the personal data breach and this tended to push the average cost of the data breach to $156/€134/£120 per record.

In conclusion, organisations in Australia, Germany, France and the UK were more likely to improve their ability to keep customers and reduce the cost of a personal data breach as well as limit the number of customer records lost or stolen.

By comparison, companies in the US and the Middle East tended to have a higher churn rate of customers and those in Brazil, India, the Middle East and South Africa had the highest costs of dealing with personal data breaches, according to the Ponemon Institute study.

For information about the GDPR Transition Programme at Henley Business School, click here.

Leave a reply