Most conversations about GDPR gravitate towards the subject of fines. There are two camps; those who contend they’re a hollow threat and those who argue they will be meted out to serve as a warning to others. The problem is that fines are too often being pitched as the business case for investment. After all, €20m can by a lot of logging technology and consultancy hours!
In my opinion this approach is fundamentally missing the point of GDPR. Consider these compliance scenarios:
Firstly: We don’t obey the highway code to avoid the risk of being fined. We obey it for our own safety and the safety of other road users.
Secondly: Airlines don’t comply with rigorous maintenance regimes on their aircraft to protect the value of their asset. No, they do it for the safety of their paying passengers.
As per these analogies, GDPR should first and foremost be about the customer. There are a whole bunch of other reasons for taking GDPR seriously; before you even factor in the potential fines that could result from a data breach.
You’d be forgiven for thinking that with hundreds of millions of customer records having been splurged onto the black market by the likes of Yahoo & Equifax, that most of it is out there already. If you lose your customers PII, it is they who will be subject to identity theft and social engineering attacks and the resultant fraud, not you!
Not only does lost PII stand to seriously aggravate your existing customers, it will result in a black mark against your name where future prospects are concerned. Just ask Talk Talk, who are still bearing the scars of a high-profile breach incurred back in 2014. They say time is a great healer, but that’s not necessarily the case with reputational damage.
A PII data breach places a huge amount of pressure on many aspects of your business, not just financially but also on your employees. The chances are your staff will bear the brunt of the extra work load associated with tidying up the mess. A worst-case scenario could see a down turn in business with the inevitable job losses that go with it.
High profile PII data compromises can and do cost CEOs their jobs. A badly managed PII data breach reflects terribly on the company at fault. Where once it might have been possible to lay blame further down the food chain, the world is wising up. Such incidents are often the result of a cavalier, and negligent attitude to cyber security rather than just plain bad luck. If compliance appears to have been overlooked, the odds of a business’s survival become even lower.
The loss of existing customers, reputational damage, cost of clearing up the mess, not to mention the organisational turmoil that follows a PII breach, will all have a negative impact on the share price.
So as you can see, the fines are way down stream when it comes to why GDPR needs to be taken seriously. As things stand we have no idea how the various EU states and our own ICO will make use of the fines that they have in their arsenal. However, rest assured whatever the magnitude, they will simply represent the cherry on the icing of a rather rotten cake!