When Chrissie dove in for that moonlit swim off Amity Island, she took an unnecessary risk. Sharks feed at night! Shouldn’t she have known this? Similarly, companies should know that not complying with the razor-toothed General Data Protection Regulation (GDPR) could prove financially hazardous. Since it became enforceable last year, GDPR has gone from taking shallow-water dogfish nibbles to revealing a giant set of Great White chompers that can take bigger bites out of security-flawed fish. The biggest bite yet? Close to a quarter of a billion dollars. I repeat, a quarter of a billion dollars!
For a while no one knew when or if the GDPR would actually penalize companies. But with record-high fines this summer—Shark Week arrived a couple weeks early—it’s clear they’re aiming for dissuasion by hitting where it hurts. And while this fine is massive, it could have been worse. As far as penalties go, they depend on the nature and severity of the regulatory infringements and can be:
- Up to €10 million, or 2 percent of annual global turnover—whichever is greater.
- Up to €20 million, or 4 percent of annual global turnover—whichever is greater.
While GDPR wasn’t instituted to arbitrarily fine companies—its purpose is ensure data privacy—companies doing business in the European Union need to take it seriously. This means it’s time for boards and C-suites to do some basic math. Even if a company has total annual revenues to merit a $100 million fine for security weaknesses, why risk it? GDPR isn’t going away. Wouldn’t it make more sense to put, say, 10 percent of that potential fine into implementing stronger security controls? Or something else the business could invest in? Sure, $10 million isn’t “chum” change but it’d be a shot of adrenaline for any cyber defense program. That money could be spent beefing up security operations, implementing additional privilege access monitoring or hiring experts (like our Advanced Adversary Simulation team) to perform realistic testing.
Wouldn’t you rather pay a “friendly” to test (attack) your defenses—including people, processes, technology—than find out it’s too late during a real breach that you could’ve used a bigger boat?
Plus, GDPR non-compliance penalties are not the direct consequence of a breach; they’re more sea salt in a gaping wound. While companies should secure for regulation purposes, they should not secure for regulation alone. They need to secure for all the risks presented by the current threat landscape, and the two metrics that boards and company executives should probably care about most are the mean time to detect and the average time to respond. Their focus should be on detecting and responding early, and they should start by doing the basics—and doing them well.