EU GDPR: A Reality Check on the Penalties of Non-Compliance – Blog #2 (out of 3)


Leslie K. Lambert
Chief Security and Strategy Officer, Gurucul

Nov 7, 2017

In my previous blog on the EU GDPR, I talked about the fast-approaching deadline, (May 25, 2018), and how any multinational organization that deals with EU citizen’s personal data must be in compliance. Shortened mandatory notification window response times (shrinking from 30+ days to 72 hours) and astronomical penalties for non-compliance, if a company is discovered to be uncompliant when a breach occurred, are part of this new dawning reality. But at the beginning of this past summer, organizations were only reaching a 52% realization of the requirement in Europe, and experts say the awareness is worse in the US.

Drilling down a little further on the penalties, if a company has failed to comply, and their organization is responsible for controlling the data where the compromise of an EU citizen’s data took place, the fine is way beyond hefty: up to 20 million euro or 4% of an enterprise’s worldwide revenue (calculated from 2015 revenues) – whichever is larger!

Do the math. For a company like, their revenue for 2015 was $35.75 billion in sales, with revenue up 22 percent from $29.3 billion in the previous year. That means that if Amazon was not compliant and suffered a breach with EU citizen’s personal data, they would be on the hook for $1.43 billion. No matter how well your company is doing, you can throw any rosy revenue projections out the window with fines of that magnitude.

Looking at it from another perspective, with a recent Vanson Bourne survey revealing that 3 in 5 organizations expect to be breached in 2017, with 29 percent believing they won’t even know they were breached when it happens. That should be a wakeup call something like a trumpet outside your tent. That’s well over half of the respondents who think they’ll be breached, and almost a third who think they won’t even know it. From the EU GDPR perspective, that’s really bad news. Odds are your organization will likely be breached, and your SOC team might not even know it. But when they do, and if you’re not EU GDPR compliant, and if you’re the CEO of a company, you’ll have a lot of explaining to do… very possibly on your way out the door.

If they don’t already have their security strategy in place, forward-looking security leaders must begin their scoping their requirements and campaigning hard for the security budgets they’ll need to meet these requirements. The pitch should not be that hard to the executive suite. If they don’t approve the spending it could mean millions in penalties, with over a 50% chance they are in the danger zone. The cost benefit analysis suggests, and the odds are, it’s a smart investment.

From an advanced security analytics perspective, one of the four core GDPR principles aligns with the best-of-breed-vendors, who are SOTA (state-of-the-art and another EU GDPR requirement). That is what controllers and processors of targeted EU citizen data must show  “The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.”

Drawing context from big data with mature machine learning models is SOTA. And only a select few companies can deliver these capabilities with established use cases in UEBA (user and entity behavior analytics), identity analytics (IdA), privileged access analytics (PAA) and cloud security analytics (CSA). So, if you don’t have an advanced security analytics strategy in place, the time is now to get one.

In our next blog, we’ll be talking about the steps to prepare for the EU GDPR.

To learn more about the EU GDPR, check out our white paper on the topicAdvanced Security Analytics Applications in EU GDPR