New consent rules, broadened European privacy rights, fines going up to millions of euros, as well as stricter procedures and public disclosure in cases of a data breach – these are just some of the changes that will come into force as part of the General Data Protection Regulation (GDPR) in May 2018.
Despite the significance of these changes, many companies have no idea what is coming their way with little more than a year to go until the deadline. As demonstrated by an IDC Research survey* conducted on behalf of ESET, a quarter (25%) of the 700 surveyed European companies admitted they were not aware of GDPR and more than half (52%) of them were unsure of the impact on their organizations.
Even after shifting the focus to those that were aware of the regulation, the picture didn’t improve that much. Every fifth (20%) firm in the survey hadn’t begun preparing for GDPR yet, close to 60% were still getting their systems in line with the new rules, leaving only 21% ready for the changes.
This is surprising; mostly in regard to the potential consequences businesses will face in case of non-compliance. Nowadays, costs of data breaches appear to remain in the lower six-figure range, at least according to IDC’s survey. A quick comparison with the coming penalties may put the near future into perspective.
35% of the organizations that suffered a data breach in the last two years reported losses of between €25,000 and €250,000, and most (32%) put losses between €10,000 and €25,000. However, fines and rules on public disclosure imposed by GDPR can potentially increase financial risks after May 2018 to millions of euros.
The new regulation sets maximum fines to as high as €20 million or 4% of a company’s annual turnover if the company violates GDPR rules relating to breaches of data protection principles, conditions for consent, customers’ or employees’ rights or international data transfers.
This means a significant increase in risk, but the regulation itself also suggests “proper means” that can help businesses mitigate them. Encryption is named as one of the technologies that can help protect data and ease some of the obligations.
Also, costs for implementing encryption at SMBs – starting around tens of euros per seat per year – are significantly lower than the potentially devastating fines companies face under GDPR.
In this regard, with only a year left until GDPR enters into force, IDC has also looked into the state of encryption and its use amongst the surveyed businesses. It found that file encryption has been implemented in 46% of firms and is desired by 36%. Compared to that, full-disk encryption is reportedly in use in only 38% of the companies, and desired by a third of them (34%).
For more information on the General Data Protection Regulation, ESET has a dedicated page to help ensure that when the time comes, you have everything covered.
*Survey was conducted in over 700 organizations across seven European countries: the Czech Republic, Germany, Italy, the Netherlands, Slovakia, Spain, and the United Kingdom. The survey focused on SMEs with 50–499 endpoints to protect across all vertical sectors. Respondents in C-level, security, IT administrative or management positions were questioned about a range of security-related topics.