Business Technology

The true cost of a GDPR breach: 78% of people would avoid a business after a data leak

3 min read

06 July 2018

Former special projects journalist

While it remains to be seen how GDPR fines will play out in reality, the loss of reputation and loss of custom is something businesses would do well to keep in mind.

First it was Dixons Carphone, and now Ticketmaster. This week, the ticket giant has become the latest major data breach story – but in a post-GDPR world, the story is receiving more scrutiny than perhaps it would have done previously.

Since the introduction of the EU General Data Protection Regulation (GDPR), businesses have been scrambling to get on top of their data protection. Breaches can incur fines of up to €4 million or 4% of global turnover, so it’s a force to be reckoned with.

According to Ticketmaster, customers who purchased tickets between February and 23 June may have been affected the data breach, and may have had their personal details and payment information stolen.

Ticketmaster claims that less than 5% of its global customer base will have been affected by the breach.

However, Ticketmaster’s breach took place before GDPR came into effect in May, so just how serious is this for the business?

In reality, it may be worse than it sounds. It’s not just the up-front cost of the breach, it’s the reputational damage too – and after GDPR, it’s at the forefront of people’s minds.

A survey by Crown Records Management, global information management specialists, found that more than a third of people have said they will be more selective about who they give their data too from now on.

In addition, 78% of people would either “definitely” or “probably” withdraw their custom from a company which suffered a data breach. What’s more, almost a third said that a company’s reputation could be damaged for up to two years if they suffered a breach – this is not an easy problem to make disappear.

David Fathers, regional manager at Crown Records Management, said the Ticketmaster breach should be a wake-up call for many businesses which are handling personal data.

“GDPR is creating a new environment in which the public is far more savvy and far more concerned about how its personal data is handled and looked after,” he said.

“Companies that have strong information management and data protection systems, and which show they look after data well, should flourish. But those who don’t – and those who suffer data breaches – could find the market more difficult.”

While it remains to be seen how GDPR fines will play out in reality, the loss of reputation and loss of custom is something businesses would do well to keep in mind.

For many businesses, GDPR remains something of a minefield. According to research from ICSA: The Governance Institute and recruitment specialist The Core Partnership, just 50% of organisations were fully compliant when the regulation came into force, and 78% of those surveyed found the process to be a heavy burden on resources.