Security Experts:

GDPR Compliance: A Carrot or Stick Approach?

There’s Little Value in Heading Down the GDPR Path Simply to Avoid Being Hit With Penalties

As most of you know, the new General Data Protection Regulation (GDPR) comes into force on May 25, 2018 and will introduce major new laws for data processing in European Union (EU) member countries and anywhere EU personal data is processed. In other words, even if your business is based in the U.S., if you process data of EU citizens you are affected. The laws give many new personal data rights to EU citizens, including the right to withdraw consent, easier access to their data, and the right to know if their data has been compromised by a cyber attack. And that’s just the start.

Penalties for non-compliance with GDPR will be severe. For example, if your organization fails to report a data breach within 72 hours, expect a fine. Fines can reach four percent of global revenue or 20 million Euros (more than $24 million), whichever is higher. Organizations, regardless of size, will be subjected to such penalties and that’s because everyone’s data is equally valuable and no organization is immune to attacks. There will be some proportionality shown depending on factors like the size of the infringement, the effectiveness of reporting, the scale of the effort made to be compliant, the type of information lost, and the type of organization being fined. However, all indications are that any organization fined is likely to find the experience painful, by their own relative terms. 

Without a doubt, financial penalties of such magnitude are a pretty sizeable stick. But if your organization approaches GDPR compliance by focusing on the stick – searching for a GDPR check list of security dos and don’ts, or a GDPR product to buy to protect you from a fine – you’re out of luck. GDPR defines outcomes, not the means of delivering them. It also demands proper consideration and shouldn’t be approached with a check-box mentality. And while, security is a strong component within GDPR, it isn’t the only one. Equally important is to ensure that the information you’re trying to protect has been acquired legitimately and is being used appropriately and that you can satisfy customers’ requests for their data and/or to remove their data from your systems.

So, what if we shift our approach and instead focus on the carrot? I’m referring to the benefits your organization gains by being GDPR compliant, and there are quite a few, including greater focus, business health, customer confidence, and successful digital transformation. 

Focus. Since the 1990s there has been a patchwork of legislation across the EU that companies doing business in that region have had to understand and comply with. While GDPR is a game-changer, it brings consistency and focus that can streamline efforts. GDPR also attempts to introduce a risk-based approach to data protection, so you can prioritize how you address risks based on the threat to your organization. Granted, this single set of rules are more stringent than many businesses are used to working with today, but that leads to the next benefit… 

Business health. The set of rules that comprise GDPR form a framework for ongoing accountability and good personal data stewardship. Incident response, data mapping, and maturity assessment all become part of your business plan. As a result, your business will become much healthier. Think of it as making the lifestyle changes that are sustainable in the long-run and ultimately makes you stronger, as opposed to a fad diet that works only temporarily, if at all, and is hard to stick to. 

Customer confidence. When your customers and partners know that they’re working with a company that has embraced GDPR and is meeting these stringent standards, they can feel confident that their data is safe. The value of this cannot be understated. A recent study by Gemalto found that 69% of consumers feel businesses don’t take customer data seriously and 70% would stop doing business with a company if it experienced a data breach. Having consumer confidence is an enviable competitive advantage that contributes to business growth.

Digital transformation. As I’ve discussed many times before, security is an enabler of digital transformation. Success depends on secure transmission of sensitive data and protecting the systems that store and use that data. The GDPR makes substantial inroads in creating such an environment with legislation designed to protect personal data – whether at rest, in use, or in motion. For organizations that process personal data of EU citizens, complying with GDPR is critical to successful digital transformation.

There’s little value in heading down the GDPR path simply to avoid being hit with penalties. Instead, by focusing on the carrot, you’ll find your compliance efforts will ultimately enable your business to thrive in the digital economy. Your customers will have more confidence, your business will be healthier, you’ll bring risk to an acceptable level, and you will be able to detect and deal with potential data breaches in a far more efficient and effective way. Change your mindset, and you can change your business for the better. 

view counter
Ashley Arbuckle, Cisco’s VP of Security Services, is responsible for the oversight and global delivery of the Cisco portfolio of Advisory, Implementation, and Managed Services, bringing a pragmatic approach to helping Cisco’s clients solve their most complex security challenges. Arbuckle started his career in security consulting at PwC working with Fortune 500 customers. After PwC he joined PepsiCo where he led enterprise security and the strategic planning process for PepsiCo’s IT budget of over $2 billion. He has a BBA in MIS and Accounting from the Rawls College of Business at Texas Tech University, is a CPA, and holds a CISSP and CISM.