The EU’s General Data Protection Regulation (GDPR), which came into force in May 2018, is identified as the key driver to businesses taking the first steps in cybersecurity. More than one year on from the implementation of GDPR, the legislation is justifiably seen as a champion of security, but there have been some unintended consequences.

 “Our qualitative findings suggest that GDPR has encouraged and compelled some organisations over the past 12 months to engage formally with cyber security for the first time, and others to strengthen their existing policies and processes. However, the qualitative findings also highlight that GDPR has had some unintended consequences.”

UK Government report 2019

Key findings


Insights from RSM

It is no surprise that the GDPR is the key driver for cybersecurity. It has significantly raised the level of awareness among European businesses of data breaches resulting from cybercrime and the need for protection. GDPR has given cybersecurity weight through giving cybercrime more tangible consequences.

More specifically, from our work with businesses across Europe, we see that it is the threat of financial penalties behind GDPR and the resultant reputational damage that has spurred action.

The fear of significant financial penalties has changed the way organisations are thinking about data protection and security. Many businesses have taken a closer look at their data footprint and data privacy controls and made an investment in protecting data assets.​

GDPR has succeeded in forcing action that was long overdue.

However, there has also been a downside to this. With so much pressure on organisations to meet the complex requirements we have seen GDPR fatigue; overwhelmed by information and demands on what they had to do from the press, industry bodies and stakeholders, many organisations just gave up and reverted back to previous working practices. This may have also resulted in many businesses (especially those in unregulated industries) taking a more ‘tick box’ approach to getting the job done resulting in less effective protection and a false sense of security.

A further issue with the GDPR was it took a one-size-fits-all approach. This meant many requirements were left open and too broad, which as another unintended consequence, has left businesses more vulnerable.

Our research has highlighted the gap: while 62% of businesses invested more in cybersecurity in preparation for the GDPR, 49% do not believe it has made their business safer and 26% don’t believe that a year on from the GDPR deadline, their business is fully compliant.

There is clearly still a lot of work to be done and pressure is needed. As soon as audits are carried out, there will be fines, press coverage and needless to say, action.

We would urge firms to be proactive rather than reactive and take positive steps to take the time to review what has been put in place as a matter of priority. Cybersecurity controls should not be just about meeting the GDPR requirements but about protecting your key business assets on a wider basis.