Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Marc Wilczek
Marc Wilczek
Connect Directly
E-Mail vvv

Benefiting from Data Privacy Investments

GDPR-ready companies experience lower overall costs associated with data breaches, research finds.

Millions of people continue to be flummoxed and frustrated by the much-publicized leaks of their personal information from the likes of Marriott, Facebook, and Equifax, to cite three recent examples. Such data breaches are causing companies and organizations everywhere to re-examine the things they procure, the services they use, the individuals they hire, and the people and firms with whom they partner and do business. Across the board, organizations have sunk money into staff, strategies, and equipment to comply with new, tighter customer privacy rules and sidestep major fines and other penalties.

On May 25, 2018, the EU's General Data Protection Regulation (GDPR) took effect, and other privacy laws and regulations worldwide are evolving and expanding. Cisco's 2019 Data Privacy Benchmark Study details how scores of organizations are having a hard time meeting all the demands of the new regulatory regimes — and the ones that took early action to address security concerns are seeing positive results from their investments.

GDPR Readiness
Data privacy is now a topic of discussion in corporate boardrooms, and clients, vendors, and other business partners are all paying more attention to how well the companies they patronize and work with safeguard private information. If a company doesn't measure up, those groups may look elsewhere.

Interestingly, however, a mere 59% of the respondents in the Cisco survey said they are measuring up to most of GDPR's requirements. Twenty-nine percent indicated that they would be GDPR-ready within 12 months, while 9% said it would take them more than a year.

The respondents also identified their biggest hurdles in terms of getting ready for GDPR. The top five challenges were data security (cited by 42% of respondents), internal training (39%), ever-changing regulations (35%), and privacy by design requirements as well as meeting data subject access requests (each at 34%).

"Data privacy risks have become a major issue for most businesses. Many companies are preparing for data privacy litigation. Having a defense strategy in place can be a huge benefit," says Tim Wybitul, partner in Latham & Watkins' Frankfurt office. "For instance, you can determine roles, press communication and a process in advance," he adds.

Sales Delays Due to Privacy
The survey also asked participants whether their customers' concerns about data privacy was slowing down or delaying sales cycles. Some 87% replied in the affirmative, saying that the slowdowns stemmed from worried customers or prospects. This is a much higher figure than the 66% of respondents who reported the same delays in the 2018 survey, but this shouldn't come as a big surprise given the ink that's been spilled on the importance of data privacy, GDPR, and the onset of new privacy regulations and requirements.

Roughly half (49%) of the respondents said that their sales-cycle delays stem in part from having to look into specific requests from customers who want to know more about the company's data policies. Slightly fewer companies (42%) must translate their privacy policies/processes into the customer's/prospect's language, while 39% regard the customer's/prospect's enquiries about privacy policies or processes as a tactic used to deliberately slow the pace of a sales process.

The estimates regarding the length of delays were far from consistent. For sales delays stemming from privacy concerns, the average slowdown for selling to existing customers was 3.9 weeks. The organizations that said they're meeting all or most of GDPR's requirements reported a slightly shorter delay — an average of 3.4 weeks — in contrast to 4.5 weeks for companies that expect to be GDPR-ready within a year, and 5.4 weeks for those that are more than a year away. Put another way, the delays at the least-prepared organizations are almost 60% longer than the most prepared.

In light of the above, it should come as no surprise that the GDPR-ready companies also experienced lower overall costs related to data breaches.

"This research provides evidence for something privacy professionals have long understood — that organizations are benefiting from their privacy investments beyond compliance," says Peter Lefkowitz, chief digital risk officer at Citrix Systems. "The study demonstrates that strong privacy compliance shortens the sales cycle and increases customer trust."

Data Breaches Happen Less Often with GDPR-Readiness
Most companies in the survey reported having a data breach in 2018, but fewer (74%) of the GDPR-ready companies were affected. In comparison, breaches struck 80% of the firms that are less than a year from GDPR readiness, and 89% of the ones that still have a long way to go before they fully comply.

That's not all. Not only were the most GDPR-ready companies hit less often; the impacts of the breaches they did experience were smaller — an average of 79,000 records, as opposed to 212,000 for those that are least GDPR-ready. The system downtime for the most-prepared was also significantly less (6.4 hours versus 9.4 hours). Of these firms, only 37% suffered data-breach losses of more than $500,000, while 64% of the least-prepared companies lost at least that much.

The respondents were nearly unanimous in one area: Almost all of them (97%) said they are enjoying side benefits from their investments in privacy protection, citing agility/innovation, competitive advantage, operational efficiency, reduced losses from breaches, fewer sales delays, and greater appeal among investors.

The takeaway from all this? The Girl Scouts probably say it best: "Be prepared."

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.