I've honestly lost track of how many "GDPR prep" type sessions I've sat through over the last year at SecureWorld regional cybersecurity conferences.
Each one of those sessions talked about relevant steps organizations could take to prepare and part of the incentive for doing so: the potential for massive fines for violators.
But just how massive are fines under GDPR?
Well, Forbes just worked up the numbers for three data breaches and looked at the fines that "could have been" under GDPR for the Ebay breach, Equifax breach, and Yahoo breach.
Here is Yahoo, for starters:
"At the time that 3 billion user accounts had been breached at Yahoo in 2013-2014, it represented the largest data breach in history. Not only was the scope significant, the company didn’t disclose the breadth of the breach within 72 hours like the GDPR requires; in fact, it took them until October 2017 to fully acknowledge the extent of multiple breaches that occurred in 2013-2014. With revenue in excess of $4 billion for 2012, Yahoo would have faced millions of dollars in fines if GDPR would have been in place—$80 million but potentially as much as $160 million depending on the variable factors of GDPR including the culpability of the company and how cooperative they were."
