If you believe Guy Bunker, senior vice president of products at security firm Clearswift, the new EU data protection fines could turn out to be "a company killer". But is he right?
The new regulations are set to give data protection agencies the power to fine companies 5% of global annual turnover, up to the value of €100m, which Bunker thinks will put industries with small profit margins in serious danger.
"Businesses these days are built on their IP or their costumer information, so they should be looking out for it," he said. "It’s a good thing to do. It doesn’t have to be very expensive, it just has to be well thought out."
Currently UK firms and government bodies face a maximum fine of £500,000 from the information commissioner’s office (ICO), though a survey recently released by iStorage revealed a third of British security professionals were not even aware of the limit. Potential fines measured in eight or nine figures are unlikely to invite the same complacency.
"I think it needs to be done because if we don’t sit up and take notice we will see a lot of the UK’s intellectual property wandering elsewhere," Bunker said. Right now he reckons the ICO is not able to "come down hard enough" on firms negligent of data protection, and in the case of multinationals it is hard not to see his point.
He estimated the current fines are only 5-10% of the cost of a data breach, once one factors in the amount needed in implementing new policies, taking remedial action, and auditing more regularly. "Actually the fine is just annoying," he said. "But it’s only a small part of the actual breach."
If this is true breaches may already be costing firms millions, and yet the regulators believe this is not enough incentive for them to change. Bunker believes early fines will be far below the limit, just to nudge companies into line. Time may prove that a nudge is not enough.
