[BreachExchange] GDPR: A Cost vs. Benefit Analysis

Mon Apr 23 19:42:05 EDT 2018

https://www.informationweek.com/strategic-cio/security-
and-risk-strategy/gdpr-a-cost-vs-benefit-analysis/a/d-id/1331616

It's a mistake for companies to view compliance with GDPR as just a
financial burden. There are real benefits to be had in understanding and
protecting customer data.

Complying with GDPR can be a perceived burden for businesses – and
understandably so, with fines for non-compliance of up to 4% of total
global revenue or 20 million euros, whichever is higher. But regulations
and compliance efforts also present overlooked benefits for organizations,
as long as they are administered with a proper understanding of the
directive.

GDPR is a landmark regulation for how it rebalances the data relationship
between an individual and the organization that collects and processes
their data. GDPR aims to provide EU residents with fundamental data rights
to how their personal information gets used by business. By promulgating a
broad range of rights from data access to erasure, GDPR promotes better
accountability to customers and employees through better data accounting.

The International Association of Privacy Professionals estimates that
Fortune's Global 500 companies will spend roughly $7.8 billion in order to
ensure they are compliant with GDPR – no small sum. Yet, viewing GDPR
through the lens of compliance cost alone doesn’t reflect the broader
change afforded by the sweeping regulation. Yes, there will be substantial
cost association with operationalizing specific obligations inside the
organization, but the benefits can be argued to far outweigh the investment.

GDPR is an expansive regulation. Over compartmentalizing and attempting to
tackle each individual item one at a time will leave companies exposed in
compliance, and money will be wasted trying to improve overall data
understanding.

Instead, a holistic, big picture approach is required for real benefits.
GDPR starts with knowing what data you have on whom, where. If a company
knows its data, it can build from that to answer data subject access
rights, consent, breach response, data processing record keeping, and more.

If handled in the right frame of mind, here are some tangible business
benefits to be expected with compliance come May 25.

Understanding the customer

First and foremost, compliance efforts help companies better understand
their customer by better understanding their data. If customers are the
lifeblood of a modern digital business, then knowing customers’ data takes
on commercial “life or death” urgency.

In order to comply with regulations, increasing data visibility across
organizational silos, de-duping lists, and cleansing and mapping data are
musts. Data is the new oil, and knowing exactly what kind of oil, how much
and where it is running through the engine not only provides a vehicle to
safeguarding data, but also a way to unlock value within that data and
improve performance, in a private and secure way.

Cyber insurance and civil action savings

The cyber insurance market has exploded in recent years, with annual gross
premiums expected to reach $7.5 billion by 2020. Companies mandated to
comply, and those showing proof of compliance with these stringent
regulations will likely see a significant reduction in annual cyber
insurance costs.

In March, a federal judge confirmed just how beneficial Article 33
(mandatory breach notification within 72 hours) may prove to be in negating
civil action costs. Yahoo was ordered to face a lawsuit claiming the
personal information of three billion users was compromised in a series of
breaches. The reason for facing this charge? Being too slow to disclose
these breaches occurring from 2013 to 2016. Under GDPR, “too slow” will not
be an option.

Protect brand reputation through pre-breach data privacy practices

As seen in high profile cases with Equifax, Uber, Yahoo, Target and others,
organizations will go to great lengths in avoiding disclosure to protect
brand reputation. A hard rule on public disclosure is understandably
daunting, but the role GDPR will play in helping companies better
understand what data they have, its risk and how to protect it, will prove
greatly beneficial to avoiding a breach all together.

With pre-emptive data privacy practices such as data minimization (limiting
the collection and retention of information that is essential to business
operations) and data tokenization (removing sensitive data and replacing it
with a worthless token), the level of data understanding required to carry
them out will be enabled through compliance.

Minimizing response costs

The 2017 Cost of Data Breach Study from the Ponemon Institute, puts the
global average cost of a breach at $3.6 million, or $141 per data record.

Under GDPR, “those affected” must be notified within 72 hours. No business
is going to be happy about spending millions dealing with breach fallout,
but the process of notifying victims will be drastically decreased for
those complying with GDPR. Through increased data visibility required for
compliance, funds spent on determining who exactly was affected by a breach
will be all but eliminated.

The big picture

GDPR aims to provide better consumer accountability through better data
accounting. Ultimately, this helps build trust between a company and its
customers. However, in a very real financial way it also has economic
benefit. The investments required to comply with GDPR equip companies to
better protect themselves and better extract value from its customers. GDPR
at first blush looks like a cost for businesses to incur. But dig deeper
and you find it opens up new protections and value.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180423/f16a0055/attachment.html>