Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



GDPR Compliance: A Carrot or Stick Approach?

There’s Little Value in Heading Down the GDPR Path Simply to Avoid Being Hit With Penalties

There’s Little Value in Heading Down the GDPR Path Simply to Avoid Being Hit With Penalties

As most of you know, the new General Data Protection Regulation (GDPR) comes into force on May 25, 2018 and will introduce major new laws for data processing in European Union (EU) member countries and anywhere EU personal data is processed. In other words, even if your business is based in the U.S., if you process data of EU citizens you are affected. The laws give many new personal data rights to EU citizens, including the right to withdraw consent, easier access to their data, and the right to know if their data has been compromised by a cyber attack. And that’s just the start.

Penalties for non-compliance with GDPR will be severe. For example, if your organization fails to report a data breach within 72 hours, expect a fine. Fines can reach four percent of global revenue or 20 million Euros (more than $24 million), whichever is higher. Organizations, regardless of size, will be subjected to such penalties and that’s because everyone’s data is equally valuable and no organization is immune to attacks. There will be some proportionality shown depending on factors like the size of the infringement, the effectiveness of reporting, the scale of the effort made to be compliant, the type of information lost, and the type of organization being fined. However, all indications are that any organization fined is likely to find the experience painful, by their own relative terms. 

Without a doubt, financial penalties of such magnitude are a pretty sizeable stick. But if your organization approaches GDPR compliance by focusing on the stick – searching for a GDPR check list of security dos and don’ts, or a GDPR product to buy to protect you from a fine – you’re out of luck. GDPR defines outcomes, not the means of delivering them. It also demands proper consideration and shouldn’t be approached with a check-box mentality. And while, security is a strong component within GDPR, it isn’t the only one. Equally important is to ensure that the information you’re trying to protect has been acquired legitimately and is being used appropriately and that you can satisfy customers’ requests for their data and/or to remove their data from your systems.

So, what if we shift our approach and instead focus on the carrot? I’m referring to the benefits your organization gains by being GDPR compliant, and there are quite a few, including greater focus, business health, customer confidence, and successful digital transformation. 

Focus. Since the 1990s there has been a patchwork of legislation across the EU that companies doing business in that region have had to understand and comply with. While GDPR is a game-changer, it brings consistency and focus that can streamline efforts. GDPR also attempts to introduce a risk-based approach to data protection, so you can prioritize how you address risks based on the threat to your organization. Granted, this single set of rules are more stringent than many businesses are used to working with today, but that leads to the next benefit… 

Business health. The set of rules that comprise GDPR form a framework for ongoing accountability and good personal data stewardship. Incident response, data mapping, and maturity assessment all become part of your business plan. As a result, your business will become much healthier. Think of it as making the lifestyle changes that are sustainable in the long-run and ultimately makes you stronger, as opposed to a fad diet that works only temporarily, if at all, and is hard to stick to. 

Customer confidence. When your customers and partners know that they’re working with a company that has embraced GDPR and is meeting these stringent standards, they can feel confident that their data is safe. The value of this cannot be understated. A recent study by Gemalto found that 69% of consumers feel businesses don’t take customer data seriously and 70% would stop doing business with a company if it experienced a data breach. Having consumer confidence is an enviable competitive advantage that contributes to business growth.

Digital transformation. As I’ve discussed many times before, security is an enabler of digital transformation. Success depends on secure transmission of sensitive data and protecting the systems that store and use that data. The GDPR makes substantial inroads in creating such an environment with legislation designed to protect personal data – whether at rest, in use, or in motion. For organizations that process personal data of EU citizens, complying with GDPR is critical to successful digital transformation.

There’s little value in heading down the GDPR path simply to avoid being hit with penalties. Instead, by focusing on the carrot, you’ll find your compliance efforts will ultimately enable your business to thrive in the digital economy. Your customers will have more confidence, your business will be healthier, you’ll bring risk to an acceptable level, and you will be able to detect and deal with potential data breaches in a far more efficient and effective way. Change your mindset, and you can change your business for the better. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Vulnerability researchers at Google Project Zero are calling attention to the ongoing “patch-gap” problem in the Android ecosystem, warning that downstream vendors continue to...