The EU's General Data Protection Regulation (GDPR) sent organizations across Europe into a tailspin over their data storage and privacy procedures, and months on, only 59 percent of companies believe they are GDPR-compliant.
Data breaches are commonplace, credit monitoring is fast looking like an excellent service to be adopted by the average individual, and regulators, more than ever, are holding businesses to account when they do not take reasonable steps to protect the information they store.
This month, Google was made an example of by French data protection watchdog CNIL, which fined the tech giant €50 million for allegedly railroading users into consenting to processes they did not understand.
It is unlikely that Google will be the last business to come under the microscope when it comes to GDPR. The UK's Information Commissioner's Office receives upwards of 500 calls a week in relation to data security and privacy since the new laws came into effect on 25 May 2018.
On Thursday, Cisco released its 2019 Data Privacy Benchmark Study which explored how the new privacy regulations have impacted the enterprise.
The study is based on information provided by over 3200 security professionals in 18 countries across a variety of industries. When asked about their organization's readiness for GDPR, the results were not encouraging.
In total, 97 percent of respondents said that GDPR applied to their firms. Only 59 percent of businesses said they are meeting "all or most" GDPR stipulations today, although a further 29 percent expect to reach this level within a year.
Cisco says that the effort is often worth it when it comes to data breaches. Companies which implement GDPR-compliant security measures are less likely to be breached than those which are not compliant -- 74 percent vs. 89 percent -- and when a data breach does occur, fewer records are impacted on average --79,000 vs. 212,000 -- and system downtime is also generally shorter.
In addition, the average cost of a data breach is lower. The study estimates that only 37 percent of GDPR-compliant firms had a data breach-related loss of over $500,000 last year, in comparison to 64 percent of the least GDPR-ready.
When asked about the major challenges GDPR poses, respondents said data security, training, and privacy-by-design requirements were some of the most significant areas in which reaching GDPR standards were the most difficult to implement, as below:
- 42 percent: Meeting data security requirements
- 39 percent: Internal training
- 35 percent: Staying on top of the ever-evolving interpretations and developments as the regulation matures
- 34 percent: Complying with privacy by design requirements
- 34 percent: Meeting data subject access requests
- 31 percent: Cataloging and inventorying our data
- 30 percent: Enabling data deletion requests
- 29 percent: Hiring/identifying data protection officers for each relevant geography
- 28 percent: Vendor management
However, there are benefits, too, beyond less costly data breaches and improved data practices. In total, 97 percent of respondents acknowledged at least one of the benefits below when it comes to investment in improved privacy and data protection systems.
- 42 percent: Enabling agility and innovation from having appropriate data controls
- 41 percent: Gaining competitive advantage versus other organizations
- 41 percent: Achieving operational efficiency from having data organized and cataloged
- 39 percent: Mitigating losses from data breaches
- 37 percent: Reducing any sales delays due to privacy concerns from customers/prospects
- 36 percent: Gaining appeal with investors
"These results highlight that privacy investment has created business value far beyond compliance and has become an important competitive advantage for many companies," Cisco says. "Organizations should, therefore, work to understand the implications of their privacy investments, including reducing delays in their sales cycle and lowering the risk and costs associated with data breaches as well as other potential benefits like agility/innovation, competitive advantage, and operational efficiency."