While security is all about locking down data, privacy is all about protecting that data while it's being used to drive business value. In an increasingly data-driven business environment, the companies that are best equipped to turn their data into insight are gaining measurable advantage over the competition. This includes gathering information from customers' data to feed your next marketing campaign, or predicting individual consumer behavior based on understanding clicks on a website.
In order to successfully and legally use data for business purposes, companies must comply with a number of state, national, and regional regulations. Recently, it has been the European Union's (EU) General Data Protection Regulation (GDPR) that is occupying the minds of privacy professionals. In less than a year's time, GDPR, the most sweeping change to data protection in the past 20 years, will go into effect and its impact will be felt by every organization that does business in the EU, or handles personal information of EU citizens in any manner.
To understand the status of US companies' efforts to meet privacy mandates in general, and in particular, to meet the May 25, 2018 GDPR deadline Dimensional Research conducted a survey among more than 200 privacy professionals this past May. I've been associated with privacy and security companies since the 90s, and there are a few findings from the research that are particularly noteworthy.
The Job of Privacy is Getting Harder
Among the respondents, privacy is the sole job function for more than a third and an important part of the job for more than 60%. For the vast majority (98%) of these privacy professionals, the job of managing privacy is becoming increasingly complex. More than half describe the task as significantly more complex. At the same time, 96% of respondents say that the importance of managing privacy is increasing, with almost 70% noting that it's becoming significantly more important.
For US privacy professionals, their role is becoming more important while the complexity of their job is increasing. Whether or not that means these privacy professionals feel empowered - or up to the challenge - in their roles is an open question. There's a hint of an answer, though, if we look at the help respondents say they need most in order to comply with GDPR.
GDPR Planning: Urgent & Costly
When asked where privacy professionals need the most help, complying with data privacy requirements, and developing a GDPR plan topped the list at 39%, followed by addressing international data transfers (36%) and meeting regulatory reporting requirements (30%).
A majority of respondents (61%) haven't yet begun implementing their GDPR readiness plan. The survey honed in on exactly the support these privacy professionals need to become compliant. The results are creating new policies and processes (69%), and obtaining privacy expertise to understand regulations (63%), and technology and tools to automate and operationalize data privacy (48%). For larger companies with at least 5,000 employees, the need for technology jumped to almost 60% percent; for smaller companies with 500-1,000 employees, 36%
To find a solution to their GDPR woes, all of the respondents report that they will invest in resources such as consultants, new hires, and technology to help prepare for next year's May deadline. A full 99% will invest in additional capabilities. A scant one percent seems to be all set!
Privacy Spending: 'Significantly' Increasing for Half
It gets really interesting, however, when we start looking at the financials. Nearly half of all companies surveyed say that their overall spending on managing privacy is significantly increasing, while the other half say their spending on privacy management is becoming slightly larger. That means that across the board, investments in privacy are going up. If we dive even deeper into the numbers we find:
- 83% of US privacy professionals expect GDPR spending to be at least $100,000
- Of those, 17% expect to incur costs over $1 million
- 40% of companies plan to spend at least $500,000 to become GDPR compliant
And the bigger the company, the bigger the investment:
- One in four companies with more than 5,000 employees expect to spend over $1M on GDPR compliance
- One in five companies with 1,000-5,000 employees expect to spend over $1M on GDPR compliance
- One in 10 companies with 500-1,000 employees expect to spend over $1M on GDPR compliance
Security has dominated the industry for 20 years for good reason, but with increasingly strict regulations forcing rigid compliance, privacy is bubbling to the top of IT priorities and budgets. These are certainly significant investments. Given the complexity of privacy management in general, and GDPR compliance in particular, it's no wonder that privacy professionals need much greater resources to design and deploy processes and technology solutions. This is a clear message that the privacy industry must keep pace with customers’ privacy needs, and provide the solutions and approaches to protect consumers’ data and their companies' confidential information.