With less than a year remaining until the European Union’s new General Data Protection Regulation kicks in, the level of hyperventilation in the business world has reached epic proportions.
An April study by Veritas reports that 86 percent of organizations worldwide are concerned that that a failure to adhere to GDPR’s strong privacy guidelines could have a “major negative impact on their business,” and 18 percent fear it could put them out of business entirely. Another study fielded in the U.K. warned that FTSE 100 companies could face fines of as much as £5 billion each.
It’s always good to be prepared, but excessive handwringing at this point does little good and may obscure the positive impacts of GDPR in driving corporate security awareness, according to one expert. Darron Gibbard has studied the Regulation as it evolved from a patchwork of local standards over the past 20 years both in his current role as chief technical security officer at Qualys Inc. and in his previous role as head of risk and information security services at Visa Europe Ltd. In an interview with SiliconANGLE, Gibbard said much is still unknown about the details of GDPR and how aggressively it will be enforced.
“You can’t be too careful, but we don’t know how it’s all going to play out,” he said.
Organizations are particularly alarmed by the harsh penalties the Regulation specifies: up to €20 million or 4 percent of a company’s annual worldwide sales for each infraction, whichever is greater. If enforced to their fullest extent, these fines could wipe out many businesses, but Gibbard believes that isn’t the EU’s intent.
“Everything about the current regulations is based on the seriousness of the breach,” he noted. “I’m a firm believer that there would have to be a similar approach” to GDPR enforcement, such as a sliding scale of fines based upon the number and severity of violations. In the meantime, the severity of the fines is getting companies focused on the changes they have to make and drawing the attention of C-level executives. “I think it’s more about fear and forcing organizations to take privacy more seriously,” he said.
The overarching goals of GDPR are laudable: Put control of personal information back in the hands of individuals, and force businesses to exercise greater responsibility when handling personal information. Businesses with sound data governance and classification procedures should experience little inconvenience and may even gain an edge over competitors who are struggling with compliance.
