GDPR-ready companies experience lower overall costs associated with data breaches, research finds.
Millions of people continue to be flummoxed and frustrated by the much-publicized leaks of their personal information from the likes of Marriott, Facebook, and Equifax, to cite three recent examples. Such data breaches are causing companies and organizations everywhere to re-examine the things they procure, the services they use, the individuals they hire, and the people and firms with whom they partner and do business. Across the board, organizations have sunk money into staff, strategies, and equipment to comply with new, tighter customer privacy rules and sidestep major fines and other penalties.
On May 25, 2018, the EU's General Data Protection Regulation (GDPR) took effect, and other privacy laws and regulations worldwide are evolving and expanding. Cisco's 2019 Data Privacy Benchmark Study details how scores of organizations are having a hard time meeting all the demands of the new regulatory regimes — and the ones that took early action to address security concerns are seeing positive results from their investments.
Data privacy is now a topic of discussion in corporate boardrooms, and clients, vendors, and other business partners are all paying more attention to how well the companies they patronize and work with safeguard private information. If a company doesn't measure up, those groups may look elsewhere.
Interestingly, however, a mere 59% of the respondents in the Cisco survey said they are measuring up to most of GDPR's requirements. Twenty-nine percent indicated that they would be GDPR-ready within 12 months, while 9% said it would take them more than a year.
The respondents also identified their biggest hurdles in terms of getting ready for GDPR. The top five challenges were data security (cited by 42% of respondents), internal training (39%), ever-changing regulations (35%), and privacy by design requirements as well as meeting data subject access requests (each at 34%).
"Data privacy risks have become a major issue for most businesses. Many companies are preparing for data privacy litigation. Having a defense strategy in place can be a huge benefit," says Tim Wybitul, partner in Latham & Watkins' Frankfurt office. "For instance, you can determine roles, press communication and a process in advance," he adds.
Sales Delays Due to Privacy
The survey also asked participants whether their customers' concerns about data privacy was slowing down or delaying sales cycles. Some 87% replied in the affirmative, saying that the slowdowns stemmed from worried customers or prospects. This is a much higher figure than the 66% of respondents who reported the same delays in the 2018 survey, but this shouldn't come as a big surprise given the ink that's been spilled on the importance of data privacy, GDPR, and the onset of new privacy regulations and requirements.
Roughly half (49%) of the respondents said that their sales-cycle delays stem in part from having to look into specific requests from customers who want to know more about the company's data policies. Slightly fewer companies (42%) must translate their privacy policies/processes into the customer's/prospect's language, while 39% regard the customer's/prospect's enquiries about privacy policies or processes as a tactic used to deliberately slow the pace of a sales process.
The estimates regarding the length of delays were far from consistent. For sales delays stemming from privacy concerns, the average slowdown for selling to existing customers was 3.9 weeks. The organizations that said they're meeting all or most of GDPR's requirements reported a slightly shorter delay — an average of 3.4 weeks — in contrast to 4.5 weeks for companies that expect to be GDPR-ready within a year, and 5.4 weeks for those that are more than a year away. Put another way, the delays at the least-prepared organizations are almost 60% longer than the most prepared.
In light of the above, it should come as no surprise that the GDPR-ready companies also experienced lower overall costs related to data breaches.
"This research provides evidence for something privacy professionals have long understood — that organizations are benefiting from their privacy investments beyond compliance," says Peter Lefkowitz, chief digital risk officer at Citrix Systems. "The study demonstrates that strong privacy compliance shortens the sales cycle and increases customer trust."
Data Breaches Happen Less Often with GDPR-Readiness
Most companies in the survey reported having a data breach in 2018, but fewer (74%) of the GDPR-ready companies were affected. In comparison, breaches struck 80% of the firms that are less than a year from GDPR readiness, and 89% of the ones that still have a long way to go before they fully comply.
That's not all. Not only were the most GDPR-ready companies hit less often; the impacts of the breaches they did experience were smaller — an average of 79,000 records, as opposed to 212,000 for those that are least GDPR-ready. The system downtime for the most-prepared was also significantly less (6.4 hours versus 9.4 hours). Of these firms, only 37% suffered data-breach losses of more than $500,000, while 64% of the least-prepared companies lost at least that much.
The respondents were nearly unanimous in one area: Almost all of them (97%) said they are enjoying side benefits from their investments in privacy protection, citing agility/innovation, competitive advantage, operational efficiency, reduced losses from breaches, fewer sales delays, and greater appeal among investors.
The takeaway from all this? The Girl Scouts probably say it best: "Be prepared."
First published in DARKReading.