GDPR: A Cost vs. Benefit Analysis

It's a mistake for companies to view compliance with GDPR as just a financial burden. There are real benefits to be had in understanding and protecting customer data.

Guest Commentary, Guest Commentary

April 23, 2018

5 Min Read

Complying with GDPR can be a perceived burden for businesses – and understandably so, with fines for non-compliance of up to 4% of total global revenue or 20 million euros, whichever is higher. But regulations and compliance efforts also present overlooked benefits for organizations, as long as they are administered with a proper understanding of the directive.

GDPR is a landmark regulation for how it rebalances the data relationship between an individual and the organization that collects and processes their data. GDPR aims to provide EU residents with fundamental data rights to how their personal information gets used by business. By promulgating a broad range of rights from data access to erasure, GDPR promotes better accountability to customers and employees through better data accounting.

The International Association of Privacy Professionals estimates that Fortune's Global 500 companies will spend roughly $7.8 billion in order to ensure they are compliant with GDPR – no small sum. Yet, viewing GDPR through the lens of compliance cost alone doesn’t reflect the broader change afforded by the sweeping regulation. Yes, there will be substantial cost association with operationalizing specific obligations inside the organization, but the benefits can be argued to far outweigh the investment.

GDPR is an expansive regulation. Over compartmentalizing and attempting to tackle each individual item one at a time will leave companies exposed in compliance, and money will be wasted trying to improve overall data understanding.

Instead, a holistic, big picture approach is required for real benefits. GDPR starts with knowing what data you have on whom, where. If a company knows its data, it can build from that to answer data subject access rights, consent, breach response, data processing record keeping, and more.

If handled in the right frame of mind, here are some tangible business benefits to be expected with compliance come May 25.

Understanding the customer

First and foremost, compliance efforts help companies better understand their customer by better understanding their data. If customers are the lifeblood of a modern digital business, then knowing customers’ data takes on commercial “life or death” urgency.

In order to comply with regulations, increasing data visibility across organizational silos, de-duping lists, and cleansing and mapping data are musts. Data is the new oil, and knowing exactly what kind of oil, how much and where it is running through the engine not only provides a vehicle to safeguarding data, but also a way to unlock value within that data and improve performance, in a private and secure way.

Cyber insurance and civil action savings

The cyber insurance market has exploded in recent years, with annual gross premiums expected to reach $7.5 billion by 2020. Companies mandated to comply, and those showing proof of compliance with these stringent regulations will likely see a significant reduction in annual cyber insurance costs.

In March, a federal judge confirmed just how beneficial Article 33 (mandatory breach notification within 72 hours) may prove to be in negating civil action costs. Yahoo was ordered to face a lawsuit claiming the personal information of three billion users was compromised in a series of breaches. The reason for facing this charge? Being too slow to disclose these breaches occurring from 2013 to 2016. Under GDPR, “too slow” will not be an option.

Protect brand reputation through pre-breach data privacy practices

As seen in high profile cases with Equifax, Uber, Yahoo, Target and others, organizations will go to great lengths in avoiding disclosure to protect brand reputation. A hard rule on public disclosure is understandably daunting, but the role GDPR will play in helping companies better understand what data they have, its risk and how to protect it, will prove greatly beneficial to avoiding a breach all together.

With pre-emptive data privacy practices such as data minimization (limiting the collection and retention of information that is essential to business operations) and data tokenization (removing sensitive data and replacing it with a worthless token), the level of data understanding required to carry them out will be enabled through compliance.

Minimizing response costs

The 2017 Cost of Data Breach Study from the Ponemon Institute, puts the global average cost of a breach at $3.6 million, or $141 per data record. 

Under GDPR, “those affected” must be notified within 72 hours. No business is going to be happy about spending millions dealing with breach fallout, but the process of notifying victims will be drastically decreased for those complying with GDPR. Through increased data visibility required for compliance, funds spent on determining who exactly was affected by a breach will be all but eliminated.

The big picture

GDPR aims to provide better consumer accountability through better data accounting. Ultimately, this helps build trust between a company and its customers. However, in a very real financial way it also has economic benefit. The investments required to comply with GDPR equip companies to better protect themselves and better extract value from its customers. GDPR at first blush looks like a cost for businesses to incur. But dig deeper and you find it opens up new protections and value.

Dimitri Sirota is a privacy and identity expert with 20-plus years of experience. He is CEO and co-founder of BigID, a leader in enterprise data protection and privacy for personal data. Dimitri has founded several enterprise software companies focused on security and API management, and has been a serial entrepreneur and investor for many years.


About the Author(s)

Guest Commentary

Guest Commentary

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT professionals in a meaningful way. We publish Guest Commentaries from IT practitioners, industry analysts, technology evangelists, and researchers in the field. We are focusing on four main topics: cloud computing; DevOps; data and analytics; and IT leadership and career development. We aim to offer objective, practical advice to our audience on those topics from people who have deep experience in these topics and know the ropes. Guest Commentaries must be vendor neutral. We don't publish articles that promote the writer's company or product.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights