New consent rules, broadened European privacy rights, fines going up to millions of euros, as well as stricter procedures and public disclosure in cases of data breach – those are just some of the changes that will come into force as part of the General data protection regulation (GDPR) in May 2018.
Despite the significance of these changes, a large number of companies have no idea what is coming their way with little more than a year till the deadline. As demonstrated by an IDC Research survey* conducted on behalf of ESET, a quarter (25%) of the 700 surveyed European companies admitted they were not aware of GDPR and more than half (52%) of them were unsure of the impact on their organization.
Even after shifting the focus to those, which were aware of the regulation, the picture didn’t get much rosier. Every fifth (20%) firm in the survey hadn’t begun preparing for GDPR yet, and another almost 60% were still getting their systems in line with the new rules, leaving only 21% ready for the changes.
This is surprising, mostly in regards to the potential consequences businesses will face in case of non-compliance. Nowadays, costs of data breaches appear to remain in the lower six figure range, at least according to IDC Research’s surveying. A quick comparison with the coming penalties may put the near future into perspective.
35% of the organizations that suffered a data breach in the last two years, reported losses of between €25.000 and €250.000, and most (32%) put losses between €10.000 and €25.000. However, fines and rules on public disclosure imposed by GDPR can potentially increase financial risks after May 2018 to millions of euros.
The new regulation sets maximum fines to as high as €20 million or 4% of a company’s annual turnover if the company violates GDPR rules related to breaches of data protection principles, conditions for consent, customers’ or employees’ rights or international data transfers.
This means a significant increase in risk, but the regulation itself also suggests “proper means” that can help businesses mitigate them. Encryption is named as one of the technologies that can help protect data and ease some of the obligations.
Also, costs for implementing encryption at SMBs – starting around tens of euros per seat per year – are significantly lower than the potentially devastating fines companies face under GDPR.
In this regard, with only a year left until GDPR enters into force, IDC has also looked into the state of encryption and its use amongst the surveyed businesses. It found that file encryption has been implemented in 46% of the firms and is desired by 36%. Compared to that, full-disk encryption is reportedly in use in only 38% of the companies, and desired by a third of them (34%).
For more information on the General Data Protection Regulation, ESET has a dedicated page to help ensure that when the time comes, you have everything covered.