Companies braced for surge in non-compliance penalties as GDPR looms

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.globallegalpost.com/corporate-counsel/companies-braced-for-surge-in-non-compliance-penalties-as-gdpr-looms-75351360/

A new study commissioned by SaaS provider Intralinks has found that 52 per
cent of global companies are preparing to face non-compliance fines under
the EU's upcoming General Data Protection Regulation (GDPR) ruling.

The study, conducted by analyst firm Ovum, surveyed IT decision makers in
businesses across Europe, the Americas and Australasia to determine the
preparedness of global firms to handle the legal repercussions of the new
regulations. While the global average for firms anticipating non-compliance
fines under the GDPR was 52 per cent, this average was higher in the UK, US
and Germany, where increased exposure to penalties were predicted by 53 per
cent, 58 per cent and 62 per cent of firms respectively. Additionally,
around two-thirds of respondents suggested that the new regulations would
increase the cost of doing business in Europe, with budget increases of 10
per cent or higher predicted by 30 per cent of companies. Survey results
also predicted an impact on competition dynamics, with 68 per cent of
respondents suggesting that US firms would face tougher competition in the
EU under the GDPR. Seventy per cent said they believed the new regulations
will favour EU-based businesses.

*Mandatory Disclosures*

According to a recent report by legal form Olswang, mandatory data breach
notification requirements are likely to be the most sorely felt source of
legal and compliance woes for businesses after the GDPR is finalised. Until
now, companies have had the option to keep quiet about data breaches when
they occur — an option that that most businesses have tended to embrace.
'Most firms choose not to go public if they can avoid it, to avoid taking a
hit on their reputation', commented Olswang partner Ross McKean.

However, sweeping breaches under the rug will no longer be an option under
the GDPR for incidents involving personal data. As a result, companies need
to establish systems to ensure consistent and comprehensive notification of
data breaches, or face heavy fines. Compliance will come at a cost of its
own — beyond the obvious damage that a public data breach can do to a
company's image, there can also be financial repercussions. A data breach
made public by US retailer Target sparked a 46 per cent fall in the
company's quarterly profits, the resignation of both its chief executive
and chief information officer, and a total bill exceeding $252 million for
costs directly related to the incident.

*Confusion and Uncertainty*

Ovum senior analyst Alan Rodger contends that embracing new technologies
will be key to boosting companies' preparedness for an increasingly complex
and uncertain data regulation environment. 'Different jurisdictions are
imposing inconsistent and often incompatible mandates for how personally
identifiable information is stored, processed and shared', he commented.
'This is already creating confusion and uncertainty ... organisations need
technology options that help them react to a rapidly changing regulatory
environment.'

Involving legal teams from the early stages of a breach can also be
crucial, as it may allow organisations to take advantage of legal
privellege while investigating breaches. According to Mr McKean of Olswang,
forensic reports which contain information about a company's IT
infrastructure and security vulnerabilities will be made available to third
parties unless privilege can be claimed. Currently, less than half of
forensic reports investigating data breaches in US companies are prepared
on a privileged basis. Sources: Computer Weekly
<http://www.computerweekly.com/news/4500258249/Breach-notification-the-biggest-impact-of-EU-data-law-overhaul-says-law-firm>;
ITProPortal
<http://www.itproportal.com/2015/12/08/global-companies-expecting-fines-galore-new-data-protection-regulations/>

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!