The long-term gains of GDPR data protection policies: a case study

In September last year, credit report company Equifax was subject to a large data breach affecting 400,000 customers in the United Kingdom. Equifax is the second largest credit report agency in the UK (after Experian) and holds information about its customers for the purpose of their credit evaluations by third parties.

While this data breach is bad, Equifax management will be somewhat relieved that this has come to light before the 25^th May, when the new GDPR regulations come into force.

There are several reasons for this.

First, there is the issue of timely information release. Equifax discovered their data breach on the 29^th July 2017, but only revealed information about the data breach on 8^th September. Under GDPR, companies will be required to notify customers and regulators of data breaches within 72 hours of discovery. Had Equifax been subject to GDPR, they could have been charged up to 4% of global turnover which, for Equifax, would be around $12.5m.

Nonetheless, even though Equifax did not suffer the slings and arrows of GDPR regulations, it has certainly betrayed—and lost—consumer trust. What’s more, it has since been revealed that, upon realising his company had suffered a breach, Equifax’s chief information officer took advantage of this inside information, sold his shares in the company and made a handsome £680,000. The credit report company has still not recovered from these blips, with share prices remaining at half their pre-breach value even six months on.

While it appears Equifax’s luck would have been even worse under the new GDPR regulations, it is likely the case that an effective post-GDPR data protection policy would have protected the company from this breach and, therefore, the huge loss in company value and profits.