The study, conducted by analyst firm Ovum, surveyed IT decision makers in businesses across Europe, the Americas and Australasia to determine the preparedness of global firms to handle the legal repercussions of the new regulations. While the global average for firms anticipating non-compliance fines under the GDPR was 52 per cent, this average was higher in the UK, US and Germany, where increased exposure to penalties were predicted by 53 per cent, 58 per cent and 62 per cent of firms respectively. Additionally, around two-thirds of respondents suggested that the new regulations would increase the cost of doing business in Europe, with budget increases of 10 per cent or higher predicted by 30 per cent of companies. Survey results also predicted an impact on competition dynamics, with 68 per cent of respondents suggesting that US firms would face tougher competition in the EU under the GDPR. Seventy per cent said they believed the new regulations will favour EU-based businesses.

Mandatory Disclosures

According to a recent report by legal form Olswang, mandatory data breach notification requirements are likely to be the most sorely felt source of legal and compliance woes for businesses after the GDPR is finalised. Until now, companies have had the option to keep quiet about data breaches when they occur — an option that that most businesses have tended to embrace. 'Most firms choose not to go public if they can avoid it, to avoid taking a hit on their reputation', commented Olswang partner Ross McKean.

However, sweeping breaches under the rug will no longer be an option under the GDPR for incidents involving personal data. As a result, companies need to establish systems to ensure consistent and comprehensive notification of data breaches, or face heavy fines. Compliance will come at a cost of its own — beyond the obvious damage that a public data breach can do to a company's image, there can also be financial repercussions. A data breach made public by US retailer Target sparked a 46 per cent fall in the company's quarterly profits, the resignation of both its chief executive and chief information officer, and a total bill exceeding $252 million for costs directly related to the incident.

Confusion and Uncertainty

Ovum senior analyst Alan Rodger contends that embracing new technologies will be key to boosting companies' preparedness for an increasingly complex and uncertain data regulation environment. 'Different jurisdictions are imposing inconsistent and often incompatible mandates for how personally identifiable information is stored, processed and shared', he commented. 'This is already creating confusion and uncertainty ... organisations need technology options that help them react to a rapidly changing regulatory environment.'

Involving legal teams from the early stages of a breach can also be crucial, as it may allow organisations to take advantage of legal privellege while investigating breaches. According to Mr McKean of Olswang, forensic reports which contain information about a company's IT infrastructure and security vulnerabilities will be made available to third parties unless privilege can be claimed. Currently, less than half of forensic reports investigating data breaches in US companies are prepared on a privileged basis. Sources: Computer Weekly; ITProPortal