GDPR: A Cost vs. Benefit Analysis
It's a mistake for companies to view compliance with GDPR as just a financial burden. There are real benefits to be had in understanding and protecting customer data.
Complying with GDPR can be a perceived burden for businesses – and understandably so, with fines for non-compliance of up to 4% of total global revenue or 20 million euros, whichever is higher. But regulations and compliance efforts also present overlooked benefits for organizations, as long as they are administered with a proper understanding of the directive.
GDPR is a landmark regulation for how it rebalances the data relationship between an individual and the organization that collects and processes their data. GDPR aims to provide EU residents with fundamental data rights to how their personal information gets used by business. By promulgating a broad range of rights from data access to erasure, GDPR promotes better accountability to customers and employees through better data accounting.
The International Association of Privacy Professionals estimates that Fortune's Global 500 companies will spend roughly $7.8 billion in order to ensure they are compliant with GDPR – no small sum. Yet, viewing GDPR through the lens of compliance cost alone doesn’t reflect the broader change afforded by the sweeping regulation. Yes, there will be substantial cost association with operationalizing specific obligations inside the organization, but the benefits can be argued to far outweigh the investment.
GDPR is an expansive regulation. Over compartmentalizing and attempting to tackle each individual item one at a time will leave companies exposed in compliance, and money will be wasted trying to improve overall data understanding.
Instead, a holistic, big picture approach is required for real benefits. GDPR starts with knowing what data you have on whom, where. If a company knows its data, it can build from that to answer data subject access rights, consent, breach response, data processing record keeping, and more.
If handled in the right frame of mind, here are some tangible business benefits to be expected with compliance come May 25.
Understanding the customer
First and foremost, compliance efforts help companies better understand their customer by better understanding their data. If customers are the lifeblood of a modern digital business, then knowing customers’ data takes on commercial “life or death” urgency.
In order to comply with regulations, increasing data visibility across organizational silos, de-duping lists, and cleansing and mapping data are musts. Data is the new oil, and knowing exactly what kind of oil, how much and where it is running through the engine not only provides a vehicle to safeguarding data, but also a way to unlock value within that data and improve performance, in a private and secure way.
Cyber insurance and civil action savings
The cyber insurance market has exploded in recent years, with annual gross premiums expected to reach $7.5 billion by 2020. Companies mandated to comply, and those showing proof of compliance with these stringent regulations will likely see a significant reduction in annual cyber insurance costs.
In March, a federal judge confirmed just how beneficial Article 33 (mandatory breach notification within 72 hours) may prove to be in negating civil action costs. Yahoo was ordered to face a lawsuit claiming the personal information of three billion users was compromised in a series of breaches. The reason for facing this charge? Being too slow to disclose these breaches occurring from 2013 to 2016. Under GDPR, “too slow” will not be an option.
Protect brand reputation through pre-breach data privacy practices
As seen in high profile cases with Equifax, Uber, Yahoo, Target and others, organizations will go to great lengths in avoiding disclosure to protect brand reputation. A hard rule on public disclosure is understandably daunting, but the role GDPR will play in helping companies better understand what data they have, its risk and how to protect it, will prove greatly beneficial to avoiding a breach all together.
With pre-emptive data privacy practices such as data minimization (limiting the collection and retention of information that is essential to business operations) and data tokenization (removing sensitive data and replacing it with a worthless token), the level of data understanding required to carry them out will be enabled through compliance.
Minimizing response costs