GDPR: Forced breach reporting will have bigger impact than fines

06/10/2016 10:38

Risk of losing customers will change attitudes faster than huge fines


The mandatory data breach reporting requirements in the General Data Protection Regulation (GDPR) are more likely to make business leaders take cyber security seriously than the risk of huge fines.

This was the view of Jon Pumfleet, global head of information security at Aberdeen Asset Management, speaking at the Investment Week Cyber Security Strategy Briefing event, in partnership with V3 sister site Computing.


Pumfleet explained that the fear of losing customers is a more powerful motivator than financial penalties, as the US stance on such matters has proved.


“GDPR paves the way to embrace the single most powerful force in Western capitalism: the customer. As soon as firms realise they have to tell customers [about a data breach] the mindset will change. Regulations rarely have such an impact,” he said.

“In Europe there’s always been a lot of regulations and controls in place, whereas in the US it’s much more about ‘If you do something wrong, tell your customers.' And that usually means taking out an ad in the paper and so forth.

“This sets the behaviour in the boardroom, and GDPR will do that over here. This is a good thing.”

Pumfleet added that the risk of fines equating to four per cent of turnover is, of course, notable, but he is sceptical that the theoretical threat of huge fines will have the same impact on a board’s attitude.

“Such fines will be used for dealing with issues at the egregious end of the breach scale, but that won’t really apply to everyone and we need to be careful not to use it just to scare people,” he said.

“It's the requirement to go public that will, in time, be a huge help [in changing attitudes].”

The GDPR is now law but won’t be enforced until 2018. The UK is set to leave the European Union and won't therefore technically be required to implement it.