Businesses that suffer a cybersecurity attack after the General Data Protection Regulation (GDPR) comes into force could face huge fines as well as increased reputational damage and potential compensation claims.
The GDPR, which takes effect on 25 May, ushers in strict controls on the use of personal data in the UK. As organisations scramble to ensure their processes are compliant and employees are trained, concern is mounting about the GDPR’s impact on cybersecurity.
For example, TalkTalk was fined £400,000 in 2016 and £100,000 in 2017 after suffering cybersecurity attacks that led to data protection breaches. Although the maximum fine under the Data Protection Act is £0.5m, however, this will rise under the GDPR to €10m or 2% of annual worldwide turnover (whichever is highest) for breaches of data protection obligations, and €20m or 4% of worldwide turnover for breaches of data subjects’ rights and freedoms.
‘We won’t know the full consequences of an attack under the GDPR regime until it happens,’ said Jon Szehofner, partner, Gordon Dadds Financial Markets.
‘However, we do know that the fines could potentially be far more significant and the consequences much greater, and this concern is driving board-level support for investment in compliance. There is also greater potential reputational risk because the GDPR is making people realise the value of their own data.
‘Another issue is that the GDPR gives people rights to redress for misuse of data. Consequently, there has been speculation in some quarters that claims management companies may encourage people to pursue compensation.’
With less than three weeks to go, organisations should make sure they at least know where the gaps and risks are in their systems and focus on what is important to comply with the spirit of the GDPR, Szehofner said.
‘There is a lot of interpretation involved in implementation, and many grey areas. It is principles-based rather than rules-based. Global banks are generally comfortable with that as it’s the type of regulatory system they’re used to, but smaller businesses may find it more difficult.’
Szehofner, who advises global financial institutions, says the first hurdle any organisation needs to clear is ‘understanding the scope of the GDPR as it pertains to their business’.
‘They need to look through the specific lens of their business because a generic response won’t work.’
