A Possibly Overlooked Threat of GDPR

The cost of preparing and averting war will always be inferior to the cost of war itself. Sun Tzu deals extensively with the costs of war in chapter two. The OECD evaluated conflict prevention too and concludes that wars are generally more expensive than war prevention.

Martin Hoskins, Associate Director at Grant Thornton UK advised customers during Qualys’ London QSC in 2016 to look at what the Information Commissioner’s Office has done in the past to get a sense of what they might do in the future. According to him, in this case past performance is indicative of future performance.

GDPR is imminent and many people are still trying to figure out how serious this is – where should they deploy which resources to achieved the maximum risk reduction.

Numbers like “4%” and “20 million” are often mentioned. This one was randomly taken from Imperva.

During CloudWeek Paris 2017 Max Schrems demonstrated how judges feel perfectly competent ruling aggressively on matters of personal data. The GDPR was not written to simply please consumer watch dogs.

CSOs I have spoken to are frustrated by how vague GDPR is. Some go as far as praising PCI-DSS for the clarity of the language used.

During CloudWeek Max Schrems brought to our attention that we should be worrying about the damages resulting from civil action against companies. Not (just) the fines.

By using the example of the damages accorded to a plaintiff in the case of credit card fraud, the plaintiff was awarded 750€ in damages for improperly handled data.

Some European counties now have notions of collective action similar to the class action found in US law.

So reconsider the massive breaches over the past years. If damages are awarded in the 100’s per record for millions of lost records, then we are very quickly beyond the 4% or $20 million bogeymen often reported in the press.

50,000,000 records x € 100 fine = € 5,000,000,000

This calculation on the back of a napkin is obviously nothing more than yet another fear mongering scare tactic.

(The numbers are not entirely crazy though)

The courts have shown they are no longer scared of such crazy numbers: “Google fined record €2.4bn by EU over search engine results

Another thing Sun Tzu said was that it was best not to fight a war in the first place. Many moons ago a CSO told me that instead of trying to make his information system compliant with PCI-DSS, he banished any and all cardholder data. Likewise, J.D. Wetherspoon deleted their mailing database to avoid GDPR problems.

“We felt, on balance, that we would rather not hold even email addresses for customers. The less customer information we have, which now is almost none, then the less risk associated with data.” J.D. Wetherspoon to Wired.