With just three months to go until the General Data Protection Regulation (GDPR) becomes enforceable on May 25, most global companies are racing to prepare. We all want to avoid the substantial fines (up to four percent of revenue) and other penalties. But the benefits of good data privacy processes extend well beyond avoiding these fines and penalties. Having good privacy is essentially a commitment to your customers. It means your customers can trust you to treat their personal data appropriately. You capture data only where you have a legitimate business purpose for doing so and in accordance with your stated privacy policies. You protect the data while you have it and delete it when you no longer need it. In short, your customers know they can trust you with their personal information.
Privacy maturity also translates to bottom-line benefits you can measure. In time for Data Privacy Day, observed annually on January 28, Cisco released a groundbreaking Privacy Maturity Benchmark Study about the impact of data privacy maturity on business. Drawing on survey responses from nearly 3,000 security professionals in 25 countries, we found that privacy-mature companies are experiencing 80 percent shorter sales delays from customer data privacy concerns compared to companies with less mature privacy practices. We also found that privacy maturity translated to significantly lower costs from data breaches.
How Do You Assess Privacy Maturity?
Privacy professionals established a set of 10 principles (known as Generally Accepted Privacy Principles) to cover different aspects of the data lifecycle such as Notice, Choice and Consent, Collection, Use and Retention, Disclosure, etc. To assess progress, the AICPA/CICA developed a Privacy Maturity Model in 2011 which scores each of 73 specific privacy elements on a five-part scale from Ad hoc (least mature) to Optimized (most mature). As part of our benchmark study, we asked respondents to evaluate their overall privacy maturity level using this scale.
What does it mean to be privacy mature? Let’s look at one example of the 73 elements, which addresses whether the company has an inventory of all personal data and how the data is used. At an Ad hoc (least mature) company, “any inventory is incomplete, inconsistent, and potentially out of date.” At an Optimized (most mature) company, “all personal information stored and used has been classified, records are reviewed to ensure appropriate classification, and procedures exist to monitor compliance.”
How Does Privacy Maturity Translate to Business Value?
Our study found that nearly two-thirds of organizations experience sales delays due to customer data privacy concerns, with an average delay of 7.8 weeks. The average delay seen by a privacy-mature company was just 3.4 weeks, which is an 80 percent reduction when compared to the average 16.8 weeks delay seen by companies with less mature privacy practices. Delays in sales can cause companies to miss quarterly and annual targets, lose revenue, and damage their reputations. For most companies, reducing sales delays is well worth the initial investment in data privacy.
In addition to shorter sales delays, privacy-mature companies also experienced lower losses from data breaches in the last year. Specifically, 39 percent of privacy-mature companies lost more than $500,000 in the last year from data breaches, compared to 74 percent of companies with less mature privacy practices. It makes sense that a company that captures only the data it needs and keeps the data only as long as needed would lose less from a data breach, but more research is needed to confirm the connection.
How Much Should You Invest in Privacy?
We suggest that you seek to understand the impact of sales delays due to customer data privacy concerns. Specific next steps include measuring current delays, assessing root causes, and establishing ongoing metrics and targeted initiatives to reduce any delays. It’s not generally cost effective to strive to achieve the highest maturity level across all processes, so you should invest only where it returns positive value. Noteworthy in our study, the organizations that achieved most of the reduction in sales delays and losses had attained at least the third level of privacy maturity (i.e., “Defined” stage), so investing beyond that level might be less beneficial.
In future blogs, I’ll discuss major differences in sales delays by country and industry, and which organizational models are best suited to minimize delays.
Podcast: Good Privacy Is Good for Business