Channel bosses discuss why Spain, Italy and Sweden are Europe's worst GDPR offenders

Spain, Italy and Sweden have had the ignominious honour of being named the three top offenders of GDPR infractions this year, according to the EU's own GDPR tracker.

€68.2m has been forfeited by companies across the EU between 1 January and 17 August this year.

A much maligned topic within the channel, the failure to be GDPR complaint has nonetheless inflicted real financial damage, at a time when balance sheets are already sorely strained by the COVID-19 pandemic.

Italian firms in particular have raked in fines totalling €45.6m in just eight months. That's 66.9 per cent of the total fines issued to the entire EU countries.

CPI has talked to three of the top partners in each market, and a cybersecurity compliance adviser, to ask them whether they're surprised and, more importantly, whether they see real opportunities in these top penalty-incurring regions.

Convoluted legal advice and an opportunity for system integrators

It's been more than two years since GDPR was enforceable.

Yet despite multiple warnings from the EU, why is the message still not resonating?

"Us Italians too often have the tendency of choosing which laws apply to us," jokes Alessandro Cattani, the CEO of Italy and Spain's biggest distributor, Esprinet.

The €3.6bn giant is based in Vimercate in the north of Italy.

"Seriously, though, I am surprised because last year we witnessed a lot of investment from all kinds of end users in security solutions to try and adapt and comply.

However, security is just one element of what is primarily a legal issue surrounding the right to hold and share data.

Indeed, the number one most common GDPR violation this year was "an insufficient legal basis for data processing".

Cattani's view is that the top channel opportunity surrounding GDPR right now is for system integrators to work more closely with GDPR lawyers.

His view is that some legal advice may be deliberately misleading leaving companies vulnerable to being fined.

"It seems like there's a lack of proper engagement from the lawyers in Italy. It looks more like almost a sort of deliberate action, rather than companies having a lack of preparation, which doesn't bode well for the reputation of Italy."

He added that SIs have the best opportunity to go beyond security software relating to GDPR, and present a consultancy case across the wider legal requirements that many firms may not be fully aware of, still.

"Our feeling is that a lot of hardware and software investments have already been made.  What probably has not been good enough so far is the proper way to put this technological investment into use. And so probably there's an opportunity for system integrators to team up with the lawyers on that, and room for further training," he said.

"Southern Europe - An ‘unsaturated' security market

Juanjo Martinez Pagan is a cybersecurity and risk consultant. Based in France, Pagan advises cybersecurity start-ups across southern Europe on security compliance.

His view is that the GDPR fines show that the southern European market should be seen as a key growth region for security players.

"I've worked for several cybersecurity companies in the last 10 years, and they say that southern Europe typically have lower sales numbers. For example, in some companies I've worked in, the numbers of France, Italy, Spain, Portugal, Greece and Turkey combined are only similar to those of the UK."

"This is because of the maturity of the market. And it means there are big opportunities for growth. I think you will see that this year and next."

Pagan's advice for partners looking to land and expand in the region as a result of this "unsaturated European market" is to prioritise collaborating with a local partner.

"I think the traditional way of international companies coming in and hiring employees, and then deploying them in the country; it takes too long. It doesn't fit well with the speed of our industry.

"By the time you have the people, have deployed them and they are operationally efficient a lot of things may have changed in the marketplace here."

C-Suite reluctance to spend in Spain and Italy

However, a big factor hindering security spend in the region is an obvious reluctance from C-suite level executives to spend money on cybersrcurity, claims Pagan.

"It's unbelievable how many companies are not aware of what they are risking. How is this possible? To me the only explanation is this gap between the CSO and security community and the C-level executives who provide the money for the investment," he said.

This restriction on security investment seems likely to be a bigger issue for the remaining months of the year, Pagan beleives.

Becthle's country manager for Spain, Juan José Moneo, told CPI that several smaller local rivals have had their cash flows decimated by the COVID-19 pandemic.

"The big problem is with liquidity in customers here - especially for smaller companies and those that don't have a long-term plan for this situation," he said.

And the purse strings have tightened for companies across the Spanish economy.

Last week, a European Union report showed Spain has suffered the biggest GDP contraction in Q2 in the EU, slumping 18.5 per cent.

One reason Spanish resellers and their end-users have been hit particularly badly in this region is because Spain is primarily a market of SMB players.

"In this market, there are some companies that are clearly not fulfilling the goals of GDPR, but to be compliant can have a high cost," Moneo said.

"On top of that, sometimes there is still confusion about the interpretation of the law. It can be really complicated…And that is an issue if there are problems with liquidity."

COVID-19 as an ‘accelerator' of investment

Cybersecurity advisor Pagan beleives that the rise of ransomware will be a important catalyst in getting more companies GDPR complaint.

"Now with COVID-19, we are seeing more big companies who have been hit by ransomware… And this is an opportunity," he said.

"Ransomware and hacking has become such a huge business, so customers need guidance and training and a range of security products.

"The problem is, there are so many solutions and all of them provide value. But I think companies are learning the lesson that there needs to be a plan on how they all connect in their own business, and how this helps protect the business from ransomware and these sorts of [GDPR] fines."

He added: "I believe the cybersecurity market in southern Europe has much more potential to grow and is going to grow much more. So actually I don't see COVID-19 as a barrier for investment in cybersecurity here, I see it more as an accelerator.

"It is helping companies to open their eyes and realise, ‘Maybe we have not been paying sufficient attention to our security?'"

Complacency in Sweden

The third most heavily fined country by the EU GDPR enforcement agency is Sweden.

One of its biggest system integrators is Proact.

Its CTO Per Sedihn has mixed feelings about his market's ranking.

"At first I was surprised, because us Swedes have a culture of compliance. We follow the rules.

"But then maybe we are a bit too comfortable. In a way we might have underestimated the consequences.

"If you make a mistake, people here say 'don't do that, that that was bad,' but then nothing happens. It's not like in the US where you get fined or you are sentenced to years in prison. We are not used to severe consequences."

From a market perspective, Sedihn says the Sweden-based NetApp and Dell partner does see opportunities amid this complacency.

"There is absolutely a lot of room for advice. It is a technical question too and not just a legal aspect.

"For instance, customers can ask, can we see breaches in real time, can we actually see when we are not in compliance?

"I absolutely see a change now in some talks with customers. Two years ago people did talk about GDPR but it was mainly the lawyers - not so much in IT as it should have been.

"But people are waking up to a new reality."

Public cloud maturity in the Nordics

Sedihn pointed to changes in how Proact talks about public cloud with customers as one of the most important elements of the GDPR conversation in the Nordics.

"We hear people saying we're going to the public cloud, and it's going to be good. But then we ask if they've considered the US Cloud Act versus GDPR.

"I would say 18 months ago, people would say they didn't think it was a problem. Now people are starting to wake up to the compliance consequences. This is a big change. We've entered a maturity phase now with regards to public cloud."

Proact has recently mounted a return to form in the market with its Q2 figures surging 22 per cent after a difficult start to its financial year due to the global lockdown.

Sedihn is confident that the customers asking more questions about public cloud will be good for business.

"We tell customers that the location of their data is not just about geography, it's also about under which countries legislation is your data? For example, if it's a datacentre from a public cloud provider from the US, but just outside of Stockholm, it is still under American law. This is all not so simple and an opportunity for us because it leads to other technical conversations.

"Typical questions are: so how can we protect our data, what other implementations are there that that will complement our existing technologies?

"Some of those answers might involve very advanced AI-type of algorithms, for example, so that's absolutely an opportunity to serve to the market these competencies and tools."

Making ‘Europe fit for the digital age'

Whether in Sweden or southern Europe, partners CPI has spoken to agree that with COVID-19 causing unprecedented strain to customer's balance sheets, avoiding unnecessary losses is more valuable than ever.

But this is about more than just money.

The European Commission says one of its top priorities is making "Europe fit for the digital age".

• Tweet  
• Facebook  
• LinkedIn  
• Send to  

• Topics
• Solution Provider
• GDPR
• Proact
• Bechtle
• Insight
• Spain
• Italy
• Esprinet
• Sweden