Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/11/2017
10:30 AM
Chris Babel
Chris Babel
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The High Costs of GDPR Compliance

Looming, increasingly strict EU privacy regulations are pushing privacy spending to the top of IT priorities and budgets.

While security is all about locking down data, privacy is all about protecting that data while it's being used to drive business value. In an increasingly data-driven business environment, the companies that are best equipped to turn their data into insight are gaining measurable advantage over the competition. This includes gathering information from customers' data to feed your next marketing campaign, or predicting individual consumer behavior based on understanding clicks on a website.

In order to successfully and legally use data for business purposes, companies must comply with a number of state, national, and regional regulations. Recently, it has been the European Union's (EU) General Data Protection Regulation (GDPR) that is occupying the minds of privacy professionals. In less than a year's time, GDPR, the most sweeping change to data protection in the past 20 years, will go into effect and its impact will be felt by every organization that does business in the EU, or handles personal information of EU citizens in any manner.

To understand the status of US companies' efforts to meet privacy mandates in general, and in particular, to meet the May 25, 2018 GDPR deadline Dimensional Research conducted a survey among more than 200 privacy professionals this past May. I've been associated with privacy and security companies since the 90s, and there are a few findings from the research that are particularly noteworthy.

The Job of Privacy is Getting Harder
Among the respondents, privacy is the sole job function for more than a third and an important part of the job for more than 60%. For the vast majority (98%) of these privacy professionals, the job of managing privacy is becoming increasingly complex. More than half describe the task as significantly more complex. At the same time, 96% of respondents say that the importance of managing privacy is increasing, with almost 70% noting that it's becoming significantly more important.

For US privacy professionals, their role is becoming more important while the complexity of their job is increasing. Whether or not that means these privacy professionals feel empowered - or up to the challenge - in their roles is an open question. There's a hint of an answer, though, if we look at the help respondents say they need most in order to comply with GDPR. 

GDPR Planning: Urgent & Costly
When asked where privacy professionals need the most help, complying with data privacy requirements, and developing a GDPR plan topped the list at 39%, followed by addressing international data transfers (36%) and meeting regulatory reporting requirements (30%).

A majority of respondents (61%) haven't yet begun implementing their GDPR readiness plan. The survey honed in on exactly the support these privacy professionals need to become compliant. The results are  creating new policies and processes (69%), and obtaining privacy expertise to understand regulations (63%), and technology and tools to automate and operationalize data privacy (48%). For larger companies with at least 5,000 employees, the need for technology jumped to almost 60% percent; for smaller companies with 500-1,000 employees, 36%

To find a solution to their GDPR woes, all of the respondents report that they will invest in resources such as consultants, new hires, and technology to help prepare for next year's May deadline. A full 99% will invest in additional capabilities. A scant one percent seems to be all set!

Privacy Spending: 'Significantly' Increasing for Half
It gets really interesting, however, when we start looking at the financials. Nearly half of all companies surveyed say that their overall spending on managing privacy is significantly increasing, while the other half say their spending on privacy management is becoming slightly larger. That means that across the board, investments in privacy are going up. If we dive even deeper into the numbers we find:

  • 83% of US privacy professionals expect GDPR spending to be at least $100,000
  • Of those, 17% expect to incur costs over $1 million
  • 40% of companies plan to spend at least $500,000 to become GDPR compliant

And the bigger the company, the bigger the investment:

  • One in four companies with more than 5,000 employees expect to spend over $1M on GDPR compliance
  • One in five companies with 1,000-5,000 employees expect to spend over $1M on GDPR compliance
  • One in 10 companies with 500-1,000 employees expect to spend over $1M on GDPR compliance

Security has dominated the industry for 20 years for good reason, but with increasingly strict regulations forcing rigid compliance, privacy is bubbling to the top of IT priorities and budgets. These are certainly significant investments. Given the complexity of privacy management in general, and GDPR compliance in particular, it's no wonder that privacy professionals need much greater resources to design and deploy processes and technology solutions. This is a clear message that the privacy industry must keep pace with customers’ privacy needs, and provide the solutions and approaches to protect consumers’ data and their companies' confidential information.   

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related Content: 

 

 

As CEO of TrustArc, formerly known as TRUSTe, Chris has led the company through significant growth and transformation into a leading global privacy compliance and risk management company. Before joining TrustArc, Chris spent over a decade building online trust, most recently ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16649
PUBLISHED: 2019-09-21
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the...
CVE-2019-16650
PUBLISHED: 2019-09-21
On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the se...
CVE-2019-15138
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
CVE-2019-6145
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
CVE-2019-6649
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.