Is this the calm before the storm? asks Thorsten Kurpjuhn
Following the flood of opt-in/opt-out emails that hit our mailboxes last spring ahead of the introduction of the General Data Protection Regulation (GDPR) on 25 May 2018, silence has fallen over the topic. To some extent, the uncertainty about the legal implications of the legislation still prevails and businesses have in the meantime buried their heads in the sand under the assumption that it won’t impact them.
As a result of the laissez-faire attitudes towards GDPR to this day, we have seen GDPR fines total €56M in its first year, with more than 200,000 investigations, 64,000 of which were upheld. The total fines issued to date remains dominated by the €50 million issued to Google by France’s national Data Protection Commission CNIL.
The approach and reaction to GDPR widely differ across Europe. Countries such as Slovakia and Sweden are yet to issue a single fine, while countries like Poland, Portugal, and Spain have fined companies several hundred thousand Euros. Germany has seen some of the highest GDPR activities, with 42 fines imposed, averaging €16,100 and 58 warnings issued. In comparison, while the Netherlands has issued over 1,000 warnings, only one fine has been issued, which happens to be one of the highest in Europe at €600,000. Whether the level of GDPR fines issued is down to poor compliance in some countries or less-diligent Data Protection Agencies (DPAs) in others remains a grey area.
So where are businesses going wrong when it comes to GDPR compliance?
Business networks are the weak link
A business network is a prime data highway, which makes it the prime target for cyberattacks. Even if data handling protocols and procedures are GDPR-compliant, these efforts can be rendered worthless as soon as network security is breached. Strengthening the network to protect the data must be a priority for businesses of any size, for those who want to avoid falling foul of GDPR and possibly facing severe financial penalties.
Companies are already risking fines of up to €20m or 4% of global annual turnover, whichever is higher, if they are found in breach. Yet compliance still remains a challenge. Arguably, this is because carrying out an email marketing campaign and updating internal documents is a much easier exercise than taking concrete steps to safeguard the network and protect sensitive information.
Cybercrime is an evolving threat that can cause catastrophic damage. Cybercriminals are using increasingly sophisticated new ways of penetrating IT infrastructure, making it difficult for businesses to defend networks and keep data safe. The harsh truth is that we cannot make a network completely secure and unbreachable. Thankfully, that is not what GDPR requires of companies.
The legislation simply specifies that businesses must do all that is in their power to ensure data security. This means that businesses need a robust and reliable solution that demonstrates their dedication to control access to and protection of their digital assets. At this stage, it appears that most businesses would fail to prove that their network is as secure as it can be.
The time is now for stronger security
While large companies are able to outsource the task of putting security measurements in place and maintaining them to Managed Service Providers (MSPs), smaller businesses often lack the required knowledge and resource. Yet, the penalties for not dedicating enough effort to introduce stronger cybersecurity measures can be a deathly blow for small and medium size businesses.
Businesses can’t afford to wait anymore. Not only do they need to keep up to date with regulators’ guidance and the enforcement decisions from DPAs, but they must also review existing network infrastructures to reduce the risk of cyberattacks. Businesses must also prioritise internal cybersecurity awareness and education to ensure that everybody in the organisation knows how to handle data securely and know what to look out for when it comes to the threats to the network.
Time has not yet run out and those who act now can still prevent sanctions and reputational damage that comes hand in hand with data breaches. We need to break the silence and bring GDPR back to the top of the business agenda, otherwise businesses will face a perfect storm in the second year of GDPR enforcement.