I always find it enlightening as an alleged IT guy when legal types talk about GDPR. They have a much more pragmatic view of its implications as opposed to those in IT. I will relay some numbers that I heard recently whilst listening to a seminar.
Let’s first look at the figures that without anything else changing. 30000 self reported breaches – using the same conversion rate (reports to fines) of a staggering 0.8% we can expect 246 fines. Given that for companies with a turnover of less than €500m the fine will be €20m then you would expect the fines that are collected to be close to £5bn. Very impressive when compared to the £1.6m collected!
But is this realistic? Let’s look at some reasons why the fines may not reach these heady heights;
For those that DO understand risk. i.e every other organisation within the UK and beyond - what does this mean? Well, simply put
RISK = HARM x PROBABILITY (OF HARM)
Harm can also be of 2 types (according to the ICO);
Leaving the reputational damage aside for the moment – you can look at the reputational impact for Target in the US if you belive there is actually any reputational harm caused. Let’s deal with the probability component from a purely financial perspective.
We know that there are around 3m businesses in the UK and around half (actually 46%) will have a breach within any reporting year. This is proof in itself that organisations play the risk game – not the game of risk – since the deputy ICO expects only 30000 of 1.5m (0.02%) will *actually* self report.
If this is the case, and taking the deputy ICOs figure of 30000 as gospel this would give the total monetary risk of around €400k (€20m x 0.02%). But we have previously calculated that a theoretical maximum of only around 246 (of 1.5m) of these would convert to fines a risk of around €4k, not very much right? But this is still assuming that the ICO has the capacity to deal with 246 litigations, since this would require a 15x increase in resources we can safely assume that this is too high. A more realistic estimate is if we assume that resource within the ICO has doubled (it hasn’t!) they are only actually going to fine 32 (still of 1.5m) organisations equating to €400 risk.
Taken literally, this means that you shouldn’t be spending any more than €400 on your GDPR compliance if you are turning over less than €500m. This is clearly not the advice but it is in the numbers.
Put another way, your chances of getting fined are so low that you should not be expecting to get fined at all -- regardless of the hype GDPR is currently getting on the run up to May 25th.
This message needs to be relayed through your business and flowed down to the IT teams who may be spending money hand over first in their panic to solve a problem with limited real impact.