When Chrissie dove in for that moonlit swim off Amity Island, she took an unnecessary risk. Sharks feed at night! Shouldn’t she have known this? Similarly, companies should know that not complying with the razor-toothed General Data Protection Regulation (GDPR) could prove financially hazardous. Since it became enforceable last year, GDPR has gone from taking shallow-water dogfish nibbles to revealing a giant set of Great White chompers that can take bigger bites out of security-flawed fish. The biggest bite yet? Close to a quarter of a billion dollars. I repeat, a quarter of a billion dollars!

For a while no one knew when or if the GDPR would actually penalize companies. But with record-high fines this summer—Shark Week arrived a couple weeks early—it’s clear they’re aiming for dissuasion by hitting where it hurts. And while this fine is massive, it could have been worse. As far as penalties go, they depend on the nature and severity of the regulatory infringements and can be:

  • Up to €10 million, or 2 percent of annual global turnover—whichever is greater.
  • Up to €20 million, or 4 percent of annual global turnover—whichever is greater.

While GDPR wasn’t instituted to arbitrarily fine companies—its purpose is ensure data privacy—companies doing business in the European Union need to take it seriously. This means it’s time for boards and C-suites to do some basic math. Even if a company has total annual revenues to merit a $100 million fine for security weaknesses, why risk it? GDPR isn’t going away. Wouldn’t it make more sense to put, say, 10 percent of that potential fine into implementing stronger security controls? Or something else the business could invest in? Sure, $10 million isn’t “chum” change but it’d be a shot of adrenaline for any cyber defense program. That money could be spent beefing up security operations, implementing additional privilege access monitoring or hiring experts (like our Advanced Adversary Simulation team) to perform realistic testing.

Wouldn’t you rather pay a “friendly” to test (attack) your defenses—including people, processes, technology—than find out it’s too late during a real breach that you could’ve used a bigger boat?

Plus, GDPR non-compliance penalties are not the direct consequence of a breach; they’re more sea salt in a gaping wound. While companies should secure for regulation purposes, they should not secure for regulation alone. They need to secure for all the risks presented by the current threat landscape, and the two metrics that boards and company executives should probably care about most are the mean time to detect and the average time to respond. Their focus should be on detecting and responding early, and they should start by doing the basics—and doing them well.


Accenture Security

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.  Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks


Justin Harvey

Managing Director – West Cyber Lead

Subscription Center
Subscribe to Security Blog Subscribe to Security Blog