Key Considerations in The Ever-Evolving Data Privacy Landscape – The Biggest Risk to Your Organization
Enza Iannopollo, principal analyst at Forrester, recently answered some of the pressing questions we’ve received when it comes to data security, and more importantly building the foundations of your data security strategy. Today we’re looking at what Enza had to say when posed with some organizational risk factors, and what might come top of the list as most damaging.
Q: What would you say is more damaging these days to an organization, the risk of fines for non-compliance, the reputational risk, or private or class action lawsuits?
Enza: It is difficult to say. These are all very impactful consequences for organizations. With GDPR, fines for non-compliance can be as high as 4% of a company’s global revenue. So far, we have not seen such a hefty fine being levied, but it does not mean that it cannot happen. European regulators, in particular, have been enforcing GDPR and have so far issued more than 700 fines and enforcement actions, totalising over €300 million.
And this does not take into account the significant investments companies have to make to comply with regulators’ enforcement actions or binding remedies. These can be, for example, putting in place a robust identity and access management (IAM) software, or adopting technology and processes to prevent data leaks, or establishing employees’ training and awareness programs. Private and class actions lawsuits are becoming more common means of regulatory enforcement not only in the US, but also in Europe. And, they can be costly: in June 2017, America’s largest insurance company, Anthem Inc., agreed to a $115 million settlement after a breach compromised 80 million customers’ private data. More recently, British Airways settled a U.K. class-action lawsuit involving hundreds of thousands of customers caught up in a 2018 data breach. The settlement, for an undisclosed sum, followed the leak of the personal data of 420,000 customers and staff, including bank details, contact information and addresses. However, reputational damage is what companies are more worried about. And rightly so. Reputational damage typically occurs on top of other costs, such as fines, for example, and it is extremely difficult to quantify. It can affect everything from companies’ goodwill and stock prices in the aftermath of a breach, to the desire of business partners to begin or continue doing business with a company, employees’ retention, and customers’ loyalty. Its negative effects can also play out during an extended period of time. For example, over six months after the breach that affected telco company TalkTalk, the company reported its profits were cut by 50%, as a result of the breach.
To learn more, you can download the full Q&A with Enza here.