cyber-security approach, philosophy, business, protection

Are you really GDPR compliant? Can you afford not to be?The next day for businesses

On the 24th of May all business people waited to see what will happen by the 25th of May.

Something like a dooms-day expectation feeling is in the air.

Let’s look at a few scenarios on how this day played out.

Scenario #1:

I have a DPO assigned. My responsibilities are covered!


No they are not. Having a DPO assigned is not your responsibility. This is just the first step in the process. Whether you like it or not, understand its value or not, the purpose of the GDPR is to protect people’s private data. In an era where data is the most valuable asset, even more valuable than oil; the impact of cyber-attacks and data breaches are affecting people.

Want a little help?

cyber-security approach, philosophy, business, protection

Scenario #2:

I am covered. I have done everything requested of me.

Getting prepared for the GDPR regulation is very important. However, the real value of our preparation comes when a client complains about their data privacy, when a breach or a cyber-attack occurs, and a small or big number of clients’ privacy is impacted in a negative way and the scale of this impact. Many people have been advising and offering services on GDPR and not all of them have the qualifications to do so. The effectiveness of those people will have to withstand the impact when the time comes, and it will come sooner or later as both data breaches and cyber-attacks have entered our lives and are here to stay. So, my advice for those of you who believe they are compliant is to test its effectiveness.


Stage an attack and go through the process step by step. Is it working or not? Key point here is: do not ask the person who got you into compliance to test it. No one will find a mistake they themselves made! You need someone who is not biased in the process. If I were you I would wait to see how a real or a good staged faked attack plays out.

GDPR requires every day effort and attention. It is not something constant in time. As your business evolves you will need to make amendments thus you have to be flexible and every time you will have to take business decisions you have to keep clients’ privacy in your requirements list.

Additionally, if your DPO is not the right person well, you do not even need to test the effectiveness of your compliance to know you will have an issue. If you are interested in learning how to select the right DPO then How to select DPO officer for your business article is for you.

Scenario #3:

I cannot do it. I do not have the money. I do not care. It will not affect me. Let’s hope I will not get caught by my country’s data protection authority.

 So, GDPR is a legislation which means that is mandatory. Yes, the authorities will not move around giving fines the first day of its effect because this is not their goal and because it is not how the legislation works.

It’s like driving a car. If you speed up more than the limit until you get caught there is no fine! But if you get caught… you pay the fine. The same happens with GDPR. Until you get caught theoretically you are okay.

But the main question is: how easy or possible is it to get caught?

Let’s see when you get caught:

In 3 cases:

  • When a cyber attack takes place in your company
  • When a data breach takes place in your company or
  • When one of your employees makes a mistake and discloses client’s data to a non-authorized person

All three scenarios, I am sorry for breaking the bubble but, are possible.

With Cyber-attacks it is not if but when. In fact, according to IBM there are more than 4000 attacks per day of which the impact on 60% of those unfortunately escalates to business closure within 6 months of the attack according to the US National cyber-security association.

Want to know the average cost of an attack to your business? That is $100 000 according to the European cyber-security organization. Note this amount is before GDPR fines. I will make a prediction. The amount will at least double that based on the value of client’s data which will be affected by the cyber-attack. If you want to read more about the probability of cyber-attacks then the article The trojan horse of protection is for you.

Why am I telling you all these? Because I want you to understand the strong relationship between cyber-attacks and GDPR. There is no clearer way to say it but without business security you cannot have GDPR coverage. Data is the building block of a business in our days and this data affect people in a negative way if it falls into the wrong hands. It is very easy to happen, and you will be held liable so if I were you with the mentality of the three scenarios I mentioned in the beginning of this article/podcast I would reconsider.

Sooner or later you will get caught because a mistake, a cyber-attack or a data breach will happen and as Robin Sharma says “He who sweats more in training, bleeds less in war”. There is no better way to communicate to you that if you prepare properly for a cyber-attack and you are in the state of anticipation you will face the least impacts of it, not only from GDPR fines but from a cyber-attacks impact as well. Attack anticipation is the ultimate strategy and the best investment for your business. {tweet this}

Here is the truth, this legislation is here to stay because it serves a very important purpose so make peace with it and start preparing properly for it. In fact, there is another legislation in fast preparation from the EU regarding cyber-attacks. So, this is the new reality. Laws will protect citizens from the impact of cyber- attacks, data breaches and mistakes.

Getting a DPO is the first step for GDPR compliance but it is not enough. The most important step is to select the right DPO so that he/she gets you prepared properly to minimize the impact of an attack to your client’s data.

Plus, GDPR compliance has a double effect. If you noticed earlier in the beginning of the article I mentioned the impact of a cyber-attack to your business. If you do your compliance properly you minimize your reputation risk, costs of an attack and the possibility of your business not so survive. There are many factors that can close down a business. The most current and dangerous is cyber-attacks so get prepared for it.

I am going to repeat today’s tweetable because of its value.

 “He who sweats more in training, bleeds less in war” Robin Sharma   

Apply what you learn immediately. Download “GDPR Basics” free quick start guide.

cyber-security approach, philosophy, business, protection

So I am now turning it over to you.

If you found this article useful Tag someone who needs this information!

I would also like to hear your thoughts on GDPR compliance and the factors which create confidence about GDPR preparation.

I cannot wait to hear your comments so leave them below.


GDPR Interview – Part 7 Your ability to control your protection

GDPR Interview – Part 7 Your ability to control your protection

GDPR Interview - Part 7 Your ability to control your protection Click below if you prefer to listen. Free Quick start guide: GDPR basics GDPR basics Want a little help? Download “GDPR Basics” free quick start guide. Clarity is power! So, I am now turning it over to...


and get the latest updates