In the last years, businesses have increasingly focused on providing training and opportunities for their employees to further educate themselves on work matters and acquire relevant skills. With the new EU data protection legislation set to come into effect in the next year, it is more crucial than ever before to educate employees on matters related to cybersecurity and personal data protection.
The GDPR Will Impose Obligations on both EU and US Companies
The EU General Data Protection Regulation is set to come into force on May 25 next year – so companies have less than a year left to prepare themselves and their personnel for the changes about to come. The GDPR will radically change the landscape for companies, imposing several obligations that include data breach notification within a given period, increased requirements for acquiring consent for collecting and processing personal data, as well as providing proof of an adequate level of protection for transferring personal data beyond EU borders. The new rules apply not only to businesses based in the EU, but to companies worldwide as long as they process personal data of individuals within the EU – even when the company itself is not located on EU/EEA soil, according to Article 3 of the Regulation.
With the new rules in place, it is more pertinent than ever to ensure that your employees are up to date with regard to their obligations. Being prepared to effectively combat cyber-attacks will protect you financially in many ways, including minimizing financial losses due to data breaches. According to a survey published by the Ponemon Institute, the average cost of cybercrime for US organizations rose from almost $15.5 million in 2015 to more than $17 million in 2016, with a maximum cybercrime cost of almost $74 million in 2016. But companies that reported a high security profile have seen an average cost of less than $8 million last year. According to the same source, 98% of 237 benchmarked companies surveyed experienced malware attacks and 70% were hit by phishing and social engineering attacks – so raising employee awareness about these types of attacks can prove valuable in the fight against hackers.
New Requirements Will Mandate Employee Training
This means that providing training to your personnel will in general help cut down on data breaches – and financial damages. Yet you should still make sure your employees are properly educated not only in order to prevent incidents, but also to ensure compliance with the EU Regulation. GDPR Article 32 provides for many obligations regarding data controllers and data processors, that might catch companies off guard if they wait too long to prepare. Compliance includes taking appropriate technical and organizational measures that guarantee data protection and privacy, such as pseudonymizing or encrypting personal data (especially sensitive data), ensuring confidentiality, integrity and resilience of part of processing systems and services, as well as demonstrating ability to restore personal data after a breach.
So you need to make sure that every member of your company who is potentially a data controller or data processor – and that ranges from the HR department to Contracts and to Marketing – is up to par with adhering to these requirements. Failure to comply – even absent an actual data breach – could result in hefty fines for companies that might rise up to more than $23,000,00, or 4% of an organization’s annual global revenue. Even though there are only nine months left until the GDPR enters into force, most companies seem still unprepared. A recent survey by Gartner predicted that more than 50% of all businesses affected by the new Regulation will not be in compliance with their obligations by the end of 2018 – which will most likely have devastating consequences for them.
The clock is ticking for companies both within Europe and overseas – and the best way to respond is adopting a proactive approach and promoting security across all sectors within your business activities. Training employees and raising awareness is key towards achieving these goals.