Astonishing results in our GDPR survey among top managers in Europe and the United States: most managers excel at foolhardiness and ignorance. Equally astonishing news last summer for Game of Thrones fans: the plot of the season 7 finale was leaked online weeks before the tv broadcast. If you think these two facts are unrelated, think again!
First, some results of our survey. In 57% of the participating organisations, top management (CEO or other C-levels) does not want to take up any responsibility when it comes to GDPR. Forty-two percent of the companies does not know that email marketing contains PII (Personally Identifiable Information), and hence needs to be protected as such according to the GDPR. At the same time, 79% believes that their security is waterproof. And 22% of the organisations says that a fine for violating the GDPR would not bother them.
Each of these figures makes me frown. Top managers do not seem to fully realize that protecting and lawfully using data can have a larger impact on their business than a negligible incident and a fine which does not bother them. I know very few companies that would not suffer from a fine that may amount to 4% of their revenue. But even more troublesome is that a large number of companies (still) does not seem to grasp the full scope of the GPDR, nor do they realize that the chance of a violation is many times larger than they realize.
Viruses and White Walkers: no laughing matters!
I hope that these research results are a wake-up call for organisations and that it will trigger them to set up a comprehensive strategy for protecting and lawfully using data. Moreover, GPDR is not their only cause for concern. HBO has experienced this first-hand with the season finale of ‘Game of Thrones’.
A few weeks before the final episodes of the series were scheduled for broadcast, the pay channel HBO received a message from a group of hackers, claiming that they had stolen 1.5 TB worth of company data, including the scripts of the upcoming episodes. They threatened to publish these online, unless HBO paid millions of dollars in ‘ransom’. In the end the story quietly fizzled out, but even so, it illustrates once again that the real danger when it comes to hacks and data theft is not the hot breath of GDPR. The more your business takes place online, the larger the danger for your activities and the business results. The hackers, by the way, also claimed that they had obtained all the contact details and other personal information of actors and other collaborators on HBO-series, and threatened to make these public as well. A story that strongly reminds us of the leak at Sony Pictures, which cost the Sony top man his job.
If you’ve seen ‘Game of Thrones’, you will understand the title of this blog. Winter is coming for those that do not wake up and get ready. Those that laugh at the danger, may come to regret this. Viruses may not look as creepy as the average White Walker, but they are just as capable of damage. But of course it isn’t a bad news show from beginning till end. Unlike the imminent winter in Game of Thrones, companies can still avert the approaching winter.
Not an operational burden but a sustainable business practice
CEOs would be wise to show more interest in the GDPR in particular and in data protection in general. From personal dismissal to irreparable damage, the consequences of a data leak and unlawful use of data can be huge. Very concretely, this translates into the appointment of a responsible person. Europe’s imposed GDPR regulation is actually the perfect time to get your business in order and raise security to a higher level.
“It is high time that companies consider their investments in state-of-the-art material and consistent data protection policies as sustainable commercial practices, not as an operational burden”, sighed Rik Ferguson, our VP security research when reading the results of our survey. I can only join him in this, with this extra thought: hopefully, next year’s survey does not reveal equally high numbers of respondents who have received their first GDPR fine. Or worse.