Scroll Top

EU GDPR: A Reality Check on Non-Compliance Penalties (Part 2/3)

In my previous blog on the EU GDPR, I talked about the fast-approaching deadline, (May 25, 2018), and how any multinational organization that deals with EU citizen’s personal data must be in compliance. Shortened mandatory notification window response times (shrinking from 30+ days to 72 hours). And astronomical non-compliance penalties are part of this new dawning reality. But at the beginning of this past summer, organizations were only reaching a 52% realization of the requirement in Europe. Experts say the awareness is worse in the US.

EU GDPR and astronomical non-compliance penalties

That being said, let’s drill down a little further on the non-compliance penalties. If a company fails to comply, and their organization is responsible for controlling the data where the compromise of an EU citizen’s data took place, the fine is way beyond hefty: up to 20 million euro or 4% of an enterprise’s worldwide revenue (calculated from 2015 revenues) – whichever is larger!

So, do the math! For a company like, their revenue for 2015 was $35.75 billion in sales, with revenue up 22 percent from $29.3 billion in the previous year. That means that if Amazon was not compliant and suffered a breach with EU citizen’s personal data, they would be on the hook for $1.43 billion. Therefore no matter how well your company is doing, you can throw any rosy revenue projections out the window with fines of that magnitude.

So, looking at it from another perspective, with a recent Vanson Bourne survey revealing that 3 in 5 organizations expect to be breached in 2017, with 29 percent believing they won’t even know they were breached when it happens. That should be a wake-up call something like a trumpet outside your tent. So, that’s well over half of the respondents who expect a breach. And almost a third who think they won’t even know it. From the EU GDPR perspective, that’s really bad news. Odds are your organization will likely be breached, and your SOC team might not even know it. When they do, and if you’re the CEO of a company non-compliant with EU GDPR, you’ll have a lot of explaining to do. Most likely on your way out the door, too.

Security leaders must begin campaigning hard for security budgets

If they don’t already have their security strategy in place, forward-looking security leaders must begin scoping their requirements. Hence they must be campaigning hard for the security budgets they’ll need to meet these requirements. The pitch should not be that hard to the executive suite. If they don’t approve the spending it could mean millions in penalties. And over a 50% chance they are in the danger zone. Hence the cost benefit analysis suggests, and the odds are, it’s a smart investment.

But try to look at it from an advanced security analytics perspective. One of the four core GDPR principles aligns with the best-of-breed-vendors, who are SOTA (state-of-the-art and another EU GDPR requirement). That is what controllers and processors of targeted EU citizen data must show. It is “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.”

Drawing context from big data with mature machine learning models is SOTA. And only a select few companies can deliver these capabilities with established use cases in UEBA (user and entity behavior analytics), identity analytics (IdA), privileged access analytics (PAA) and cloud security analytics (CSA). So, if you don’t have an advanced security analytics strategy in place, the time is now to get one.

In our next blog, we’ll be talking about the steps to prepare for the EU GDPR.

To learn more about the EU GDPR, check out our white paper on the topicAdvanced Security Analytics Applications in EU GDPR

Leslie K. Lambert
Chief Security and Strategy Officer, Gurucul

Share this page: