Are you familiar with GDPR? Do you understand its impact on your business and how it is going to affect your cybersecurity? If not I strongly recommend you start to get a handle on this all important issue. I recently participated in a panel of cybersecurity experts where we discussed GDPR and its impact not just on the EU but on business globally. You can see my comments here. Just to go back for a minute and define what GDPR is and then we will discuss some of it’s implications. GDPR stands for General Data Protection Regulation and is a series of mandates regulations and requirements for any company doing business in the European Union. Since the EU is the largest trading alliance in the world. That will most likely affect most readers. And if not its future implications are huge.
GDPR states that all companies must follow these regulations and if they do not they can be fined up to 4% of their annual gross sales. This is a significant inducement to understand and follow these regulations. Just think for a moment what it would mean to your company if you were imposed a fine of this magnitude.
Basically, GDPR was formulated because of something I have been writing and evangelizing on here for a long time. Companies are concerned about cybersecurity very concerned. Surveys have shown that it is a top priority. However when it comes time for action companies don’t always seem to make cybersecurity that top priority anymore. If you are an exporter and do a $100 million a year into the EU. And you get hacked and lose a few thousand customer records of personal data. It going to cost you.
The studies show the average breach costs around $4.5 million. Well if you are fined by the EU under GDPR. You can now double that cost. And that is a relatively small breach. This is something you do not need to deal with. You will have enough problems dealing with the breach, loss of business, loss of supply chain relationships, damage to your own reputation.
What Is The Future
To make matters even more severe. The future of GDPR is more not less. Even if you are a company that is 100% domestic in the US which is unlikely if you are any size the effects of GDPR will still be felt. For a couple of reasons first, because you will in turn still have to deal with multinational companies. And via their supply chain relationships, they are going to require you to comply so they can stay safe. Second, it is just a matter of time before we see the exact same type of regulations in the US.
In fact, we already have a precedent for it in one captive industry the credit card industry. Major credit cards started requiring mandated procedures and actions for all merchants several years ago under a set of ruling called PCI. It comes with fines and stringent requirements, for how you handle credit card data.
The recommendations are the same, as usual. The fix is common sense, a strong security posture, active and effective security policies, training all employees not just IT folks. And of course a change in mindset on the importance of cybersecurity within your entire organization this sounds like a lot. But getting started today using the services of a good trusted advisor will get you on the right track. Action today for prevention tomorrow.