GDPR will make firms take data protection seriously
Mandatory data breach reporting requirements in the General Data Protection Regulation (GDPR) are more likely to make business leaders take cyber security seriously than the risk of huge fines.
Speaking at the Investment Week Cyber Security Strategy Briefing event, in partnership with Computing, Jon Pumfleet, global head of information security at Aberdeen Asset Management, said he thinks the fear of losing customers is a more powerful motivator than financial penalties.
“GDPR paves the way to embrace the single most powerful force in western capitalism – the customer. As soon as firms realise they have to tell customers [about a data breach] the mindset will change in a way regulations rarely have such an impact.”
He said this has been the case in the US for some time and has proved effective.
“In Europe there’s always been a lot of regulations and controls in place whereas in the US it’s much more about ‘if you do something wrong, tell your customers’, and that usually means taking out an ad in the paper and so forth,” he said.
“This sets the behaviour in the boardroom and GDPR will do that over here, and this is a good thing.”
Pumfleet added that the risk of fines of four per cent of turnover was of course notable, but that he was sceptical the theoretical threat of huge fines would have the same impact on a board’s mindset.
“Such fines will be used for dealing with issues at the egregious end of the breach scale, but that won’t really apply to everyone and we need to be careful not to use it just to scare people,” he said.
“It’s the requirement to go public that will, in time, be a huge help [to changing mindsets].”
The GDPR is now law, but won’t be enforced until 2018. While the UK is set to leave the European Union and therefore not technically be required to implement it, it will likely have to adhere to the law in order to achieve equivalency so UK firms can operate in the EU without incident.