Endpoint

7/11/2017
10:30 AM
Chris Babel
Chris Babel
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The High Costs of GDPR Compliance

Looming, increasingly strict EU privacy regulations are pushing privacy spending to the top of IT priorities and budgets.

While security is all about locking down data, privacy is all about protecting that data while it's being used to drive business value. In an increasingly data-driven business environment, the companies that are best equipped to turn their data into insight are gaining measurable advantage over the competition. This includes gathering information from customers' data to feed your next marketing campaign, or predicting individual consumer behavior based on understanding clicks on a website.

In order to successfully and legally use data for business purposes, companies must comply with a number of state, national, and regional regulations. Recently, it has been the European Union's (EU) General Data Protection Regulation (GDPR) that is occupying the minds of privacy professionals. In less than a year's time, GDPR, the most sweeping change to data protection in the past 20 years, will go into effect and its impact will be felt by every organization that does business in the EU, or handles personal information of EU citizens in any manner.

To understand the status of US companies' efforts to meet privacy mandates in general, and in particular, to meet the May 25, 2018 GDPR deadline Dimensional Research conducted a survey among more than 200 privacy professionals this past May. I've been associated with privacy and security companies since the 90s, and there are a few findings from the research that are particularly noteworthy.

The Job of Privacy is Getting Harder
Among the respondents, privacy is the sole job function for more than a third and an important part of the job for more than 60%. For the vast majority (98%) of these privacy professionals, the job of managing privacy is becoming increasingly complex. More than half describe the task as significantly more complex. At the same time, 96% of respondents say that the importance of managing privacy is increasing, with almost 70% noting that it's becoming significantly more important.

For US privacy professionals, their role is becoming more important while the complexity of their job is increasing. Whether or not that means these privacy professionals feel empowered - or up to the challenge - in their roles is an open question. There's a hint of an answer, though, if we look at the help respondents say they need most in order to comply with GDPR. 

GDPR Planning: Urgent & Costly
When asked where privacy professionals need the most help, complying with data privacy requirements, and developing a GDPR plan topped the list at 39%, followed by addressing international data transfers (36%) and meeting regulatory reporting requirements (30%).

A majority of respondents (61%) haven't yet begun implementing their GDPR readiness plan. The survey honed in on exactly the support these privacy professionals need to become compliant. The results are  creating new policies and processes (69%), and obtaining privacy expertise to understand regulations (63%), and technology and tools to automate and operationalize data privacy (48%). For larger companies with at least 5,000 employees, the need for technology jumped to almost 60% percent; for smaller companies with 500-1,000 employees, 36%

To find a solution to their GDPR woes, all of the respondents report that they will invest in resources such as consultants, new hires, and technology to help prepare for next year's May deadline. A full 99% will invest in additional capabilities. A scant one percent seems to be all set!

Privacy Spending: 'Significantly' Increasing for Half
It gets really interesting, however, when we start looking at the financials. Nearly half of all companies surveyed say that their overall spending on managing privacy is significantly increasing, while the other half say their spending on privacy management is becoming slightly larger. That means that across the board, investments in privacy are going up. If we dive even deeper into the numbers we find:

  • 83% of US privacy professionals expect GDPR spending to be at least $100,000
  • Of those, 17% expect to incur costs over $1 million
  • 40% of companies plan to spend at least $500,000 to become GDPR compliant

And the bigger the company, the bigger the investment:

  • One in four companies with more than 5,000 employees expect to spend over $1M on GDPR compliance
  • One in five companies with 1,000-5,000 employees expect to spend over $1M on GDPR compliance
  • One in 10 companies with 500-1,000 employees expect to spend over $1M on GDPR compliance

Security has dominated the industry for 20 years for good reason, but with increasingly strict regulations forcing rigid compliance, privacy is bubbling to the top of IT priorities and budgets. These are certainly significant investments. Given the complexity of privacy management in general, and GDPR compliance in particular, it's no wonder that privacy professionals need much greater resources to design and deploy processes and technology solutions. This is a clear message that the privacy industry must keep pace with customers’ privacy needs, and provide the solutions and approaches to protect consumers’ data and their companies' confidential information.   

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related Content: 

 

 

As CEO of TrustArc, formerly known as TRUSTe, Chris has led the company through significant growth and transformation into a leading global privacy compliance and risk management company. Before joining TrustArc, Chris spent over a decade building online trust, most recently ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.