This week I'm exploring the compliance aspects of privacy for November's security awareness and training module, hunting down information about the meaty fines meted out for privacy incidents breaching GDPR for starters.
According to what I've read so far, the regulators determine GDPR fines by considering ten specific factors, most of which a proactive management has the capability to control. Management can therefore (to some extent) influence the GDPR penalty part of the business impact of privacy breaches. The speed of response when notified of a breach, for example, is largely determined by the incident management activities. Incident response can be designed and operated to be more efficient and effective, for instance through sensible policies and procedures, coupled with awareness, training and exercises, plus other aspects such as clear roles and responsibilities plus slick incident reporting, escalation and official notification mechanisms. If the organization is primed and ready, it is more likely to react well than if it merely muddles through, unprepared and shambolic.
Furthermore, some of those ten factors concern preventive controls that should reduce the probability of privacy incidents occurring at all - for example, choosing not to process personal information unless necessary (risk avoidance), especially not the highly sensitive types such as medical data (e.g. by outsourcing medical services for employees to specialists who handle the privacy compliance obligations as part of the contract - a form of risk sharing).
In other words, management has some control over both the probability and impact of a potentially significant information risk relating to privacy and compliance. Nice!