Its hard to find an organization these days that doesn’t agree with statements like “Information and data security is important for our business.”

Yet, when it comes down to the numbers, security incidents rarely move the needle – or the stock performance, of a company. The stock market either ignores, or quickly shrugs off the impact of even large-scale incidents.

So far, this lack of a real impact on the bottom line, has made it difficult for security conscious organizations to justify anything but the most basic investments in information security efforts to their shareholders.

This situation is about to change drastically: The new European General Data Protection Regulation (GDPR) and successor of EU Data Protection Directive 95/46/EC that is aimed for adoption in 2014 carries:

fines of “up to 2 % of [the enterprise] annual worldwide turnover”

for neglecting data protection. (Read the full text here)

While one can argue wether the size and structure of the fines is justified, the main beneficiaries of the General Data Protection Regulation are clear:

  •  Organizations that got a head start and already invest in security
  •  Security service providers and vendors that will find it easier to sell and grow their market
  •  Ultimately consumers, knowing that the companies they entrust with their private data will no longer get aware with carelessness.