Rolling out new regulations is only the first step in dealing with Europe’s massive cyber-security and data protection problems. Almost half of UK businesses which identify issues, discover one attack or security breach per month, according to the University of Portsmouth’s Cyber Security Breaches Survey (CSBS). Since 2018, the General Data Protection Regulation (GDPR) is the primary law protecting data and privacy, by establishing a framework for fining organisations which are lax in protecting consumers. More than a year after GDPR enactment, breaches still occur at unprecedented rates, and most corporations have yet to see fines for non-compliance. In 2019, all that is changing . Here are five reasons GDPR compliance is on the rise.
Officials realise that enforcing GDPR is essential for consumer protection. Forty-one companies have received fines from Germany for GDPR-related offences. The highest fine, $80000, penalised an organisation for failing to protect health information from public disclosure. In July, the London Stock Exchange were advised that following an extensive investigation the ICO has issued a notice of its intention to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR). The UK Data Protection Authority says it is fining the Marriott £99 million for a data breach, exposing private information for 383 million guests. This included 30 million European Union residents.
Cyber-crime prevention is one aspect of GDPR. Regulations also restrict data sharing and protect consumer privacy. France slapped Google with a £50 million GDPR fine for failing to disclose its process for gathering and using personal information. It’s the first massive fine under GDPR for a global technology company. Google also failed to obtain each user’s consent to personalise ads. The technology giant is not alone in its need to improve privacy and data protection.
Facebook faces a $5 billion US Federal Trade Commission (FTC) fine, after settling with the FTC over the user data scandal involving Cambridge Analytica, a third-party consulting firm. During the 2016 US presidential campaign, Cambridge Analytica acquired private data for tens of millions of Facebook’s users to create psychological profiles to sell to political campaigns. Facebook’s fine is the most significant civil penalty in FTC history for a technology company. Although not GDPR-related, the fine is a wake-up call for businesses to develop or enhance data protection policies.
Reputational damage will be a core consequence of any GDPR-related fine or penalty, similar to the aftermath of a privacy or cyber-related security incident. Associated financial costs may be difficult to discern immediately, because reputational damage is less a stand-alone loss and more an impetus for several potential consequences, namely lost consumers (in both the B2B and B2C contexts), stock price decline, and subsequent difficulty for innovation and growth due to higher borrowing costs.
GDPR-related reputational damage is an elusive risk because the size and scope is contingent upon many factors, such as revenue size and industry, the nature of the alleged noncompliance, the duration of the investigatory process, and timing.
Large revenue companies may face greater regulatory scrutiny and therefore have more reputational exposure based on the sheer size and scope of their data collection and processing efforts (in addition to their wider brand recognition). This is particularly likely for industries already in the EU regulatory crosshairs, such as the U.S. technology sector.
Between 2013-2014, almost three billion Yahoo user accounts were affected in a hacking attack, making it the largest data breach in history and yet, it took over two years for Yahoo to report it. Not only did the breach harm Yahoo’s reputation, it cost real money. They faced a $23 million fine by the SEC and the incident also threatened Yahoo’s acquisition by Verizon, who cut the deal by $350 million.
Highly publicised data breaches are fuelling the desire for enhanced security protection measures. A recent cyber attack at SingHealth in Singapore compromised data for 1.5 million patients. When news outlets publicise information about high-profile attacks, they raise awareness about the need for secure information technology infrastructure. According to the CSBS, nearly 60 per cent of businesses give senior management updates on cybersecurity.
In fact, Forbes predicts that global cybersecurity spending will surpass $124 billion. Technology platforms are driving business growth and increasing competitiveness. As a result, security drivers, such as industry changes, security risks, and business needs, are critical concerns for organisations seeking to enhance online business interactions. New technologies are offering consumers convenience with online banking, service delivery, remote working and cloud computing. These operational changes are moving businesses toward greater cybersecurity to ensure seamless and secure internet experiences for users.
Most businesses and charities which handle sensitive information are aware of GDPR and its implications. GDPR is impacting the shift toward improving cybersecurity schemes because companies know they can receive a fine for non-compliance. CSBS respondents report that more than a third of entities are making changes in cybersecurity policies as a direct result of GDPR’s enactment and enforcement. These changes include staff training, updating systems, and improving processes.
GDPR is sparking greater engagement between corporate board members and internal data security professionals. Some organisations are reporting a greater consistency in maintaining encryption for sensitive files. Staff training and better communication about cybersecurity are ways in which organisations are protecting consumer data overall. These steps toward greater privacy and data protection are proportionate to a business’ ability to meet the growing need for security specialists. While experts project GDPR will have long-term positive effects on Europe’s cybersecurity landscape, the regulations are a starting point.
Skill shortages prevent some businesses from tackling security challenges and implementing processes which ensure consumer protection. The skill gap forces workers to take on the role of protecting digital assets without formal training. Thirty per cent of CSBS respondents send staff to training, and nearly half of the businesses outsource cybersecurity to enhance online protection. Security professionals assist in implementing vital protective measures, affecting data classification and a wide variety of document management processes for businesses seeking to mitigate risks.