Expressing to the Board, categorically, that the risk of a personal data breach is a business risk – rather than an IT risk- has never been easier.
Previously, it was supposedly difficult to quantify the cost of personal data within a business – whereas, with the GDPR, a good starting figure for the Data Protection Officer to present to the Board is the potential cost of the fine in the event of a breach, i.e. up to 4% or 2% of an organisation’s previous year’s global annual turnover (knowing how to read financial statements so as to present precise figures to the board is a handy skill to have) e.g. 4% of Facebook’s global turnover for 2017 would have been $1.6bn (in Euros) if they’d been called to task post-25th May 2018 by the regulators.
Now whilst the 28 Supervisory Authorities, including the UK’s Information Commissioner’s Office (ICO), have been granted the flexibility to determine the size of fines to be issued against firms that breach the GDPR or are careless with the personal data of their staff, customers and users – another potential cost the board needs to be made aware of is the unlimited remedy that could be awarded to Data Subjects who may choose to take singular actions or join in on a class action law suit against the firm after a personal data breach.
Quantifying reputational risk isn’t so difficult either as this can also be based on revenue received from a percentage of a firm’s customers’, i.e. if we potentially lose xyz customers, how much revenue could we lose as the result of a data breach?
The GDPR isn’t exactly like the outgoing Data Protection Regulations in that previously, reporting a personal data breach was voluntary – and some organisations undoubtedly got away with not reporting breaches that exposed their clients to identity theft, blackmail and to other potential fraudulent targeting on the part of cyber criminals, or excessive targeting from marketers. Now, if a data controller (company) fails to report a personal data breach – if this is reported by an external party – this could increase any regulatory penalty imposed against the firm.
Whichever way we view matters, data is an asset – and the Board is responsible for the protection of a firm’s assets; so the onus is on members to ensure all the required controls are in place to protect the personal data of all data subjects, that the firm has been permitted to hold.