Data Privacy is having a big year. The General Data Protection Regulation (GDPR) became enforceable in May 2018, along with potential fines of up to 4% of gross revenue, and many countries have passed or updated their own privacy laws to align to the GDPR framework. California passed a new privacy law that went from draft to law in under a week last June, and other states have or are considering following suit. A U.S. Federal Data Protection Law is now under serious discussion. In this environment, organizations have been working hard to meet and prepare for these privacy requirements, and they would like to know how their investments are helping their organizations beyond just meeting compliance requirements. Is there an ROI beyond fine and penalty avoidance?
Today, in observance of International Data Privacy Day, Cisco released its 2019 Data Privacy Benchmark Study revealing the impact and business benefits from data privacy investments. The Study draws on responses in a double-blind survey from over 3200 privacy and security professional in 18 countries.
GDPR Readiness Impact
The Study finds that organizations are benefitting from their privacy investments beyond compliance. While only 59% of companies believe they are ready for all or most of GDPR’s requirements, those that are ready are capturing substantial business benefits such as reduced sales friction and greater data security compared to the others. Specifically, GDPR-ready companies are experiencing shorter sales delays due to customer’s privacy concerns. Their average delay was 3.4 weeks compared to 5.4 weeks for those that are the least ready for GDPR.
The GDPR-ready companies are also less likely to be breached (74% were breached) compared to the least ready for GDPR (89% breached). And, most interestingly, when a breach did occur, fewer data records were impacted. GDPR-ready companies averaged 79,000 records impacted compared with 212,000 records impacted for the least GDPR-ready. As a result, only 37% of the GDPR-ready companies had data breaches costing more than $500,000, compared with 64% of the least GDPR-ready companies.
Sizing up Sales Delays
Customers are asking more questions during the sales process about how data is captured, used, stored, transferred, accessed, and deleted – and this is creating delays in the sales cycle for companies around the world. In last year’s study we found that 66% of companies had sales delays, and the average delay was 7.8 weeks. This year, we found 87% of companies reporting sales delays, and the increase is likely due to the greater awareness of privacy issues brought on by GDPR and the frequency of data breaches in the news. Interestingly, the average delay was about half that of last year, with an average 3.9 weeks delay for existing customers and 4.7 weeks for prospects. Organizations are getting better at responding to customer’s privacy questions. They are no longer scrambling to answer data privacy questions for the first time, and many have developed robust capabilities to share their data privacy policies and practices with customers and prospects as needed in the sales process.
What does this mean for companies?
Nearly all companies (97%) say they are receiving auxiliary benefits today from their data privacy investments beyond just meeting compliance requirements, and most companies identified multiple areas of benefit. In addition to mitigating losses from breaches and reducing sales delays, these benefits include greater agility and innovation, competitive advantage versus competition, and operational efficiency. The majority of companies now say that privacy is a competitive differentiator in their markets.
The results of this Study highlight that privacy is good for business. Cisco recommends that companies:
- Invest in privacy maturity to address the requirements of GDPR and other relevant privacy regulations and frameworks;
- Measure any privacy-related sales delays with existing customers or prospects, identify the causes of delays, and take action to reduce them;
- Minimize the amount of personal data that is stored and processed, and put in place appropriate protections for this data based on risk to help reduce costs and minimize impact if/when there is a data breach
- Once data is appropriately protected, work to maximize the value of the organization’s data assets over the lifecycle of the data
In future blogs, I’ll discuss what we’ve learned about how GDPR applicability and readiness varies across countries and industries, the underlying causes of privacy-related sales delays, and the progress companies are making to maximize the value of their data assets.