Endpoint
7/11/2017
10:30 AM
Chris Babel
Chris Babel
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The High Costs of GDPR Compliance

Looming, increasingly strict EU privacy regulations are pushing privacy spending to the top of IT priorities and budgets.

While security is all about locking down data, privacy is all about protecting that data while it's being used to drive business value. In an increasingly data-driven business environment, the companies that are best equipped to turn their data into insight are gaining measurable advantage over the competition. This includes gathering information from customers' data to feed your next marketing campaign, or predicting individual consumer behavior based on understanding clicks on a website.

In order to successfully and legally use data for business purposes, companies must comply with a number of state, national, and regional regulations. Recently, it has been the European Union's (EU) General Data Protection Regulation (GDPR) that is occupying the minds of privacy professionals. In less than a year's time, GDPR, the most sweeping change to data protection in the past 20 years, will go into effect and its impact will be felt by every organization that does business in the EU, or handles personal information of EU citizens in any manner.

To understand the status of US companies' efforts to meet privacy mandates in general, and in particular, to meet the May 25, 2018 GDPR deadline Dimensional Research conducted a survey among more than 200 privacy professionals this past May. I've been associated with privacy and security companies since the 90s, and there are a few findings from the research that are particularly noteworthy.

The Job of Privacy is Getting Harder
Among the respondents, privacy is the sole job function for more than a third and an important part of the job for more than 60%. For the vast majority (98%) of these privacy professionals, the job of managing privacy is becoming increasingly complex. More than half describe the task as significantly more complex. At the same time, 96% of respondents say that the importance of managing privacy is increasing, with almost 70% noting that it's becoming significantly more important.

For US privacy professionals, their role is becoming more important while the complexity of their job is increasing. Whether or not that means these privacy professionals feel empowered - or up to the challenge - in their roles is an open question. There's a hint of an answer, though, if we look at the help respondents say they need most in order to comply with GDPR. 

GDPR Planning: Urgent & Costly
When asked where privacy professionals need the most help, complying with data privacy requirements, and developing a GDPR plan topped the list at 39%, followed by addressing international data transfers (36%) and meeting regulatory reporting requirements (30%).

A majority of respondents (61%) haven't yet begun implementing their GDPR readiness plan. The survey honed in on exactly the support these privacy professionals need to become compliant. The results are  creating new policies and processes (69%), and obtaining privacy expertise to understand regulations (63%), and technology and tools to automate and operationalize data privacy (48%). For larger companies with at least 5,000 employees, the need for technology jumped to almost 60% percent; for smaller companies with 500-1,000 employees, 36%

To find a solution to their GDPR woes, all of the respondents report that they will invest in resources such as consultants, new hires, and technology to help prepare for next year's May deadline. A full 99% will invest in additional capabilities. A scant one percent seems to be all set!

Privacy Spending: 'Significantly' Increasing for Half
It gets really interesting, however, when we start looking at the financials. Nearly half of all companies surveyed say that their overall spending on managing privacy is significantly increasing, while the other half say their spending on privacy management is becoming slightly larger. That means that across the board, investments in privacy are going up. If we dive even deeper into the numbers we find:

  • 83% of US privacy professionals expect GDPR spending to be at least $100,000
  • Of those, 17% expect to incur costs over $1 million
  • 40% of companies plan to spend at least $500,000 to become GDPR compliant

And the bigger the company, the bigger the investment:

  • One in four companies with more than 5,000 employees expect to spend over $1M on GDPR compliance
  • One in five companies with 1,000-5,000 employees expect to spend over $1M on GDPR compliance
  • One in 10 companies with 500-1,000 employees expect to spend over $1M on GDPR compliance

Security has dominated the industry for 20 years for good reason, but with increasingly strict regulations forcing rigid compliance, privacy is bubbling to the top of IT priorities and budgets. These are certainly significant investments. Given the complexity of privacy management in general, and GDPR compliance in particular, it's no wonder that privacy professionals need much greater resources to design and deploy processes and technology solutions. This is a clear message that the privacy industry must keep pace with customers’ privacy needs, and provide the solutions and approaches to protect consumers’ data and their companies' confidential information.   

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related Content: 

 

 

As CEO of TrustArc, formerly known as TRUSTe, Chris has led the company through significant growth and transformation into a leading global privacy compliance and risk management company. Before joining TrustArc, Chris spent over a decade building online trust, most recently ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
FTC Opens Probe into Equifax Data Breach
Jai Vijayan, Freelance writer,  9/14/2017
Equifax CIO, CSO Step Down
Dark Reading Staff 9/15/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.