You're currently viewing, would you like to continue?

Yes, I want to view
No, take me to

Controlling the Costs of GDPR

Posted on Tuesday, September 12, 2017
Get in touch
By Dr. Anton Grashion
Senior Director Product & Marketing EMEA, Cylance

More News

When it comes to the new EU General Data Protection Regulation (GDPR), there are obligations your organisation must fulfil to ensure you are compliant when GDPR comes into full effect on May 25th 2018. 


The media is alive with advice on what you need to do and, with less than nine months left, organisations should be well along the way. The below 10 steps (taken from a combination of legal lists I've read to date) provide organisations with a starting point on their GDPR compliance journey:

  1. Conduct a personal data audit
  2. Maintain detailed processing records and ensure you are able to demonstrate compliance
  3. Review and update all data privacy notices
  4. Review your internal policies and procedures and implement privacy by default and design
  5. Prepare for shorter DSARs and new data subject rights
  6. Implement training and review checklists for data protection
  7. Implement internal breach notification procedures and incident response plans
  8. Allocate responsibility and budget for data protection compliance
  9. Identify, train, and empower the Data Protection Officer
  10. Implement appropriate and reasonable state of the art technical and organisational measures to protect the personal data processed

This list isn't exhaustive. Governance, risk management, and compliance professionals will go deeper and wider than this. There are many vendors making claims that they can help you with some or all of these steps. These steps represent the fixed cost of GDPR and must be completed by your organisation in order to be compliant and to demonstrate that compliance.

Controlling the Variable Costs of Thorough Prevention

Security plays a role in the variable costs of GDPR, which is what many vendors will lead with, considering the eye-watering size of fines that can result from non-compliance. But in fact, security gets very little mention in the text of the regulation other than that GDPR requires controllers to implement reasonable and appropriate 'technical and organisational measures' to ensure data security.

Among the recommendations you will hear from security vendors, pseudonymisation is often cited as a security measure that can help a controller meet data security obligations as well as data leak prevention and a host of other measures for protecting data at the data subject level. However, the advice you almost never hear is to first minimise data breaches. This would seem to be a self-evident truth, but the rush to a 'detect and respond' approach to security says otherwise. It's a losing strategy both in terms of the current ransomware bubble and also in longer terms of compliance with data protection regulations like GDPR. Before a breach happens, this is the last time you have freedom of will. After the breach, you are confined to tracks dictated by compliance for forensic investigation, notification, and cleanup/consequences. Each of these has a cost, and in the case of reputational damage and GDPR-related fines, this can be a considerable cost.

Many organisations are being advised to concentrate their efforts on the variable, and therefore open-ended, side of GDPR compliance by looking almost exclusively at the response side of the data breach equation. By ignoring the breach prevention side of the equation, organisations are missing an opportunity to reduce and control the variable costs that are associated with losing personal data. Instead, a better strategy is to invest in prevention technology to help stop breaches in the first instance. If you can stop the first domino from falling, you can save a whole lot of time and money.

Prevent Cyberattacks and Data Breaches

By preventing 99% of cyberattacks and data breaches, Cylance® helps eliminate the high-cost regulatory chain reaction. By using the power of artificial intelligence and machine learning, Cylance® can predict known and unknown attacks, proactively prevent malware execution and exploits, and prevent data breaches to protect your business.

Get in touch

Head to our GDPR hub to find out more about Cylance® and Softcat's GDPR services, speak with your Softcat account manager, or get in touch using the button below.


Get in touch

We would love to hear any comments you have about this article!