Increased penalties ratchets up per incident costs. The higher the cost, the higher the per incident risk.
New organizational obligations with a global reach means more companies have more ways to fail.
The “state of the art” GDPR compliance standard differs substantially from the more common “reasonable” standard. Industry norms have been replaced by computing best practices as the reference standard.
The GDPR mandates that processing systems account for:
“State-of-the-art” hacking techniques and their corresponding countermeasures – not at the time of a system deployment – but continuously. There is no reasonable way to hit this standard without an ongoing investment to track cyber threat and countermeasure developments,
The cost of safeguarding implementations (time, money, other risks), as well as
The relative likelihood and severity of any given class of data breach occurrence.
Balancing current risk with the cost and side effects of that risk is consistent with well-understood risk management practices. For a discussion of these basic risk concepts in the context of application development, see The Six Degrees of Application Risk.
With the GDPR, appropriate safeguards are buttressed by notification obligations if/when a breach occurs.
Key factors include:
Timing: A data breach must be reported to the Supervisory Authority within 72 hours of the data breach (Article 33).
Communication: Individuals must also be notified if adverse impact is determined (Article 34). The cost of notification obligations and the penalties of failing to meet timing and communication obligations could eclipse the cost of the breach itself.
Minimize the number of impacted citizens: Early breach detection (or attempts) limits the number of impacted citizens. The precision of breach measurement limits the potential for “false positives.”
In short, PreEmptive Solutions detection, response and reporting capabilities reduce notification cost, breach duration, and overall risk.
On September 12, 2017 the following question was posted to the Europe Direct Contact Centre.
Subject: Liability stemming from Data Processor Software Development Practices
“Would a Data Processor be liable under The GDPR if the Processor develops software that is shown to have included avoidable vulnerabilities that subsequently led to a data breach?”
On September 22, 2017, in an official response, The European Direct Contact Centre replied (in part) as follows:
“The GDPR requires that the controller uses only processors providing sufficient guarantees to implement appropriate technical and organisational measures” – including “the requirements stemming from data protection by design and by default and those on (application) security.”
Put more succinctly, the EDCC responded YES. Data Processor Development and DevOps organizations are not exempt from GDPR obligations.
GDPR Development Guidelines
Application Risk Management Assessments
Best Practices and more