Nearly all organizations worldwide are now recognizing that privacy investment is translating into upside business benefits. Organizations that have invested to get ready for the EU General Data Protection Regulation are experiencing fewer and less costly data breaches. And they are seeing less sales friction due to customers’ privacy concerns.  

These are some of the findings from the recently released Cisco 2019 Data Privacy Benchmark Study, which draws on data from a double-blind survey of more than 3,200 security and privacy professionals across 18 countries. The study is the first in a series exploring key issues that organizations are facing in privacy and cybersecurity today.

Auxiliary benefits of privacy

Most companies (97 percent) say they are receiving auxiliary benefits today from their data privacy investments beyond just meeting compliance requirements, and most companies identified multiple areas of benefit. These benefits include greater agility and innovation, competitive advantage versus competition, operational efficiency, and investor appeal. Seventy-five percent of all respondents said they were receiving two or more of these benefits. In addition, the majority of companies now say that strong data privacy is a competitive differentiator in their markets.

Less costly data breaches

Companies that said they are ready for all or most of the GDPR’s requirements were less likely to have experienced a data breach during the last year compared to the least ready for the GDPR (74 percent versus 89 percent). And when a breach did occur (as they often did), the financial impact was significantly less for GDPR-ready companies. Fewer data records were impacted (79,000 records versus 212,000), and system downtime was shorter (6.4 hours versus 9.4 hours). As a result, only 37 percent of GDPR-ready companies had data breaches costing more than $500,000, compared with 64 percent of the least GDPR-ready companies.

Shorter sales delays

Respondents in the survey were asked whether they are experiencing delays in their sales cycles due to customers’ data privacy concerns. Eighty-seven percent said they have sales delays, whether from existing customers or from prospects. This is up significantly from the 66 percent in last year’s survey and is likely due to the increased awareness of the importance of privacy, the GDPR becoming enforceable, and the emergence of other privacy laws and requirements. The average length of the sales delay this year was 3.9 weeks, and this delay would potentially impact the company’s financial results, compensation, and funding decisions. 

Privacy investments help organizations respond more quickly and effectively to customer inquiries. The companies that were the least ready for the GDPR experienced an average 5.4 weeks of sales delay, which is nearly 60 percent more than the average 3.4 weeks experienced by GDPR-ready companies. The top reasons for these privacy-related sales delays included the need to investigate specific customer requests, translating privacy information into the customer’s language, educating the customer, or having to redesign the product to meet the customer’s privacy requirements.

GDPR readiness

Among all respondents in the study, 59 percent indicated they are meeting all or most of the GDPR’s requirements. Another 29 percent said they expect to be GDPR ready within a year, leaving only 9 percent who said they were more than a year away. Interestingly, only 3 percent of the respondents in the global survey said they did not believe the GDPR applied to their organization, indicating the global reach of GDPR requirements.

By country, the level of GDPR readiness ranged from 42 to 76 percent. Not surprisingly, the European countries were generally on the higher end of that range. Respondents were also able to identify the most significant challenges their organizations faced in getting ready for the GDPR. The top responses were data security, internal training, evolving regulations, and privacy-by-design requirements.

Support for a federal privacy law

The U.S. government is now considering enacting a federal privacy law, and this study provides evidence on several key issues regarding the potential benefits of this legislation:

• We found significant business benefits associated with meeting privacy regulations and thereby getting one’s “data house in order.” Organizations can close sales more quickly, and they experience fewer and less costly breaches. These benefits help offset any additional costs or regulatory burden associated with the new legislation.
• The global pace of business means that privacy regulations often have a wide-ranging impact. In our study, only 3 percent of organizations from 18 different countries said that the GDPR doesn’t apply to them. Therefore, it is easy to see how having one U.S. federal privacy law would be significantly less onerous on organizations than having to address up to 50 different state regulations. 

Maximizing the value of data

Data privacy is one critical aspect of an organization’s overall effort to maximize the value of its data assets, in appropriate ways, over the data’s life cycle. Like any other asset, data should be efficiently acquired, stored, protected, utilized and archived/deleted. Companies that maximize the value of their data, subject to privacy considerations, can benefit greatly by building trust with customers and using well-protected and curated data to enhance the customer experience and drive greater value to shareholders.

Our survey suggests most companies are still in the early days of treating data as an asset. Respondents were asked about a range of behaviors typically found in mature data environments (e.g., having a complete data catalog, connecting data to other assets, hiring a chief data officer). Fewer than one-half exhibited each of these characteristics. This will be an area for further research to better understand how organizations are maximizing the value of their data assets.

Recommendations 

The results of this study highlight that privacy is good for business. Cisco recommends that companies invest in privacy maturity to address the requirements of the GDPR and other relevant privacy regulations and frameworks. Organizations should also measure any privacy-related sales delays with existing customers or prospects, identify the causes of delays, and take action to reduce them. It's also important to minimize the amount of personal data that is stored and processed and put in place appropriate protections for this data based on risk to help reduce costs and minimize impact if/when there is a data breach. And finally, once data is appropriately protected, companies should work to maximize the value of the organization’s data assets over the life cycle of the data. 

photo credit: wuestenigel Flat lay with glasses, keyboard and cactus candle on colorful background. via photopin (license)