GDPR: A Cost vs. Benefit Analysis - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // Security & Risk Strategy
Commentary
4/23/2018
02:00 PM
Dimitri Sirota, CEO and Co-founder, BigID
Dimitri Sirota, CEO and Co-founder, BigID
Commentary
50%
50%

GDPR: A Cost vs. Benefit Analysis

It's a mistake for companies to view compliance with GDPR as just a financial burden. There are real benefits to be had in understanding and protecting customer data.

Complying with GDPR can be a perceived burden for businesses – and understandably so, with fines for non-compliance of up to 4% of total global revenue or 20 million euros, whichever is higher. But regulations and compliance efforts also present overlooked benefits for organizations, as long as they are administered with a proper understanding of the directive.

GDPR is a landmark regulation for how it rebalances the data relationship between an individual and the organization that collects and processes their data. GDPR aims to provide EU residents with fundamental data rights to how their personal information gets used by business. By promulgating a broad range of rights from data access to erasure, GDPR promotes better accountability to customers and employees through better data accounting.

The International Association of Privacy Professionals estimates that Fortune's Global 500 companies will spend roughly $7.8 billion in order to ensure they are compliant with GDPR – no small sum. Yet, viewing GDPR through the lens of compliance cost alone doesn’t reflect the broader change afforded by the sweeping regulation. Yes, there will be substantial cost association with operationalizing specific obligations inside the organization, but the benefits can be argued to far outweigh the investment.

GDPR is an expansive regulation. Over compartmentalizing and attempting to tackle each individual item one at a time will leave companies exposed in compliance, and money will be wasted trying to improve overall data understanding.

Instead, a holistic, big picture approach is required for real benefits. GDPR starts with knowing what data you have on whom, where. If a company knows its data, it can build from that to answer data subject access rights, consent, breach response, data processing record keeping, and more.

If handled in the right frame of mind, here are some tangible business benefits to be expected with compliance come May 25.

Understanding the customer

First and foremost, compliance efforts help companies better understand their customer by better understanding their data. If customers are the lifeblood of a modern digital business, then knowing customers’ data takes on commercial “life or death” urgency.

In order to comply with regulations, increasing data visibility across organizational silos, de-duping lists, and cleansing and mapping data are musts. Data is the new oil, and knowing exactly what kind of oil, how much and where it is running through the engine not only provides a vehicle to safeguarding data, but also a way to unlock value within that data and improve performance, in a private and secure way.

Cyber insurance and civil action savings

The cyber insurance market has exploded in recent years, with annual gross premiums expected to reach $7.5 billion by 2020. Companies mandated to comply, and those showing proof of compliance with these stringent regulations will likely see a significant reduction in annual cyber insurance costs.

In March, a federal judge confirmed just how beneficial Article 33 (mandatory breach notification within 72 hours) may prove to be in negating civil action costs. Yahoo was ordered to face a lawsuit claiming the personal information of three billion users was compromised in a series of breaches. The reason for facing this charge? Being too slow to disclose these breaches occurring from 2013 to 2016. Under GDPR, “too slow” will not be an option.

Protect brand reputation through pre-breach data privacy practices

As seen in high profile cases with Equifax, Uber, Yahoo, Target and others, organizations will go to great lengths in avoiding disclosure to protect brand reputation. A hard rule on public disclosure is understandably daunting, but the role GDPR will play in helping companies better understand what data they have, its risk and how to protect it, will prove greatly beneficial to avoiding a breach all together.

With pre-emptive data privacy practices such as data minimization (limiting the collection and retention of information that is essential to business operations) and data tokenization (removing sensitive data and replacing it with a worthless token), the level of data understanding required to carry them out will be enabled through compliance.

Minimizing response costs

The 2017 Cost of Data Breach Study from the Ponemon Institute, puts the global average cost of a breach at $3.6 million, or $141 per data record. 

Under GDPR, “those affected” must be notified within 72 hours. No business is going to be happy about spending millions dealing with breach fallout, but the process of notifying victims will be drastically decreased for those complying with GDPR. Through increased data visibility required for compliance, funds spent on determining who exactly was affected by a breach will be all but eliminated.

The big picture

GDPR aims to provide better consumer accountability through better data accounting. Ultimately, this helps build trust between a company and its customers. However, in a very real financial way it also has economic benefit. The investments required to comply with GDPR equip companies to better protect themselves and better extract value from its customers. GDPR at first blush looks like a cost for businesses to incur. But dig deeper and you find it opens up new protections and value.

Dimitri Sirota is a privacy and identity expert with 20-plus years of experience. He is CEO and co-founder of BigID, a leader in enterprise data protection and privacy for personal data. Dimitri has founded several enterprise software companies focused on security and API management, and has been a serial entrepreneur and investor for many years.

 

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
7 Technologies You Need to Know for Artificial Intelligence
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2019
Commentary
A Practical Guide to DevOps: It's Not that Scary
Cathleen Gagne, Managing Editor, InformationWeek,  7/5/2019
Commentary
Diversity in IT: The Business and Moral Reasons
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  6/20/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
Slideshows
Flash Poll