Compliance can be costly and often feels more like red tape and a barrier to business than anything that provides a benefit. A report by EY and the International Association of Privacy Professionals (IAPP) estimates that organizations have spend an average of $3 million to achieve compliance with the European Union’s General Data Protection Regulation (GDPR), a sweeping piece of legislation that affects any company that stores or processes data on European Union (EU) citizens.
Aside from reducing the chance of large fines from the likes of the Information Commisioner’s Office (ICO) or the Commission nationale de l’informatique et des libertés (CNIL), what are the quantifiable business outcomes that GDPR provides?
Achieving GDPR compliance may have some quantifiable benefits in reducing the potential risk and impact of data breaches. Proper data mapping, greater organization of data, encryption, and a general reduction in data that’s being collected can all help a company reduce some of its risk.
According to Cisco’s 2019 Data Privacy Benchmark Study, organizations with mature privacy functions were more likely to know where its personally identifiable information (PII) is located (and how it is used) and have a catalogue of its data assets. “Achieving operational efficiency from having data organized and catalogued” and “mitigating losses from data breaches” were listed as two of the top six benefits of GDPR-related privacy investments given by the report’s respondents.
Fifty-nine percent of the 3,200 security professionals surveyed from 18 countries across all major industries and geographic regions defined themselves as GDPR-ready (meeting most or all GDPR requirements). Those GDPR-ready companies are reportedly less likely to have experienced a breach in the last year, and those that did suffer breaches lost fewer records and therefore saw smaller incident costs.