The severity of the financial and operational penalties of EU GDPR non-compliance has been widely publicized, compelling businesses to ensure they comply with this legislation, which protects the personal data of all natural persons within the European Union. However, the financial implications of non-compliance can go beyond the fines imposed by supervisory authorities.
Post-breach public litigation
Some weeks ago, a possibly massive personal data breach made headlines after the alleged harvesting and wrongful use of personal data — this is happening more and more. Heightened public interest into the questionable safety of personal data has made people more conscious of their rights as data subjects. Together with the countless EU GDPR compliance emails distributed by companies assuring that their database adheres to the regulation, this only cemented the public’s awareness that personal data needs to be protected by those who have it.
In the event of a serious personal data breach, Article 33 of the EU GDPR mandates that, where feasible, the supervisory authority must be notified no later than 72 hours of the company’s becoming aware of the breach. In some cases, the affected data subjects need to be informed, too. This exposes companies to post-breach litigation from well-informed individuals, who, under Article 82 of the EU GDPR, have the right to compensation from the data controller or processor for damage suffered, whether the damage is material (financial loss) or non-material (e.g. distress, anxiety or reputational damage). And as a personal data breach usually involves a substantial number of affected individuals, group or public interest litigation can expose businesses to more significant financial losses.
In addition to public litigation and possible fines or limitations issued by the supervisory authorities, companies that shy away from GDPR compliance face another threat: cybercrime.
The rise of ransomware attacks
Since the enforcement of the EU GDPR, various experts have cautioned about the emergence of seemingly diversified ransomware attacks that aim to exploit non-compliance. The creativity of fraudsters will take new paths so companies and organizations need to remain alert if they’re to avoid getting caught up in a scam or cyber attack blackmail. It is therefore critical that all employees be aware of the GDPR and be able to differentiate between regular requests and criminal activities. In case of uncertainty, the best course of action is to follow the advice of the independent Data Protection Officer.
The use of the EU GDPR as a social engineering tactic has also been widespread, and vulnerabilities in the system, such as a workforce not trained in GDPR compliance, can have serious repercussions. It has never been more important to ensure compliance than now — starting from the ground up.
“Compliance should start from the ground up — a GDPR-trained workforce.”
An opportunity to take stock
In preparation of EU GDPR compliance, companies are also presented with an opportunity to review the data they control, and in doing so, exposing cybersecurity measures that might be absent or identifying vulnerabilities in the system that can be rectified. By regularly reviewing its data assets, data flows and responsibilities within the organization, companies can also strengthen their security to combat the omnipresent realities of cybercrime.
Don’t underestimate the value of personal data. Learn how to be EU GDPR compliant with Lobster Ink’s practical EU GDPR compliance training. Inquire today.
Originally published at lobsterink.com on October 3, 2018.