Data security: is it really that much of a big deal?
If you baulk at the expense of data security for your business, you might question how vital it really is. But when you consider that globally, the average cost of a data breach reached £3 million in 2018, it’s safe to say that actually, data security is unquestionably something to take seriously. Let’s take a look at why data security is an essential expense for businesses of all sizes – and how protecting your data is vital if you want to avoid heavy fines, legal challenges and a hit to your reputation.
The cost of data breaches in the UK
You might think of data breaches as something that happens elsewhere, but according to an IBM report, the average cost of a data breach in the UK reached £3 million in 2018. That’s admittedly a fraction lower than the global average, but combined with the fines, sanctions and penalties that can result from a breach of data security, it’s clear to see that this is an ongoing, serious issue that companies must tackle effectively.
With the introduction of GDPR (the General Data Protection Regulation) which came into force in May 2018, the maximum fine for breaching security regulations has risen to 4% of a company’s total turnover, or €20 million, whichever is higher. It means that in 2018, the security breach of the British Airways website left the company liable for fines that could amount to £500 million under new GDPR legislation.
The hidden costs
As well as the financial hit that your company could take in the event of a data breach, there are other, hidden costs to consider. If it hits the headlines, your reputation will take a dive, with your lack of data security likely to lead to a loss of confidence in your business. Even if it doesn’t make the media, you will be obliged to inform affected customers of the breach, prompting them to rethink their loyalty in future.
Are you meeting your legal responsibilities?
Under the Data Protection Act 2018 (the UK’s implementation of GDPR), companies must handle personal data securely, protecting it from “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (Article 4(12)).
There is some advice within the regulations on how to achieve this, and Article 34(3a) of the regulations specifies that encryption is one effective way to stop unauthorised individuals from accessing personal data.
In the event of a data security breach that fulfils GDPR criteria, companies must report the breach within 72 hours or face a fine of €10 million or 2% of global turnover for the past 12 months. The stiff financial penalties reflect the fact that that data security is now firmly entrenched in UK and EU law.