The GDPR is changing data security laws in a big way, and big changes often come with a hefty price tag. Depending on a company’s customer base, industry, and current data security practices, becoming compliant with the GDPR can consume a large chunk of IT's budget.
What is the GDPR? We broke it down for you > >
A PwC survey shows that 77 percent of US companies plan to spend at least one million dollars on GDPR compliance projects, while nine percent of US companies plan to spend over $10 million. Some companies in this situation are looking at these costs and asking if becoming GDPR compliant is worth it.
Some common GDPR cost-risk analysis questions are answered in Informatica blogger Monic McDonnell’s article, “Deprioritizing GDPR – Is it a Risk Worth Taking?” Her article delves into the probability of companies being fined and touches on how much a company should invest in GDPR compliance.
Aside from a fear of fines, are there other reasons the GDPR is a good investment? Or is the GDPR just a scare tactic the European Union is using to bring companies in line with their data security vision?
Pros of GDPR Compliance
Prevent Data Breaches
Wouldn’t it be nice if your company never had to deal with the fallout from a data breach? From fines to lost customers and revenue, a data breach is one of the worst things that can happen to a company. The dollars lost easily reach into the millions.
Look at the GDPR as a carrot urging companies to secure their data proactively, rather than a stick punishing companies who do not. It’s true that GDPR fines are hefty, but even those can look small when stacked next to the money lost due to a massive data breach.
Customer Trust
Customer loyalty, a company’s brand, and client referrals are all built on trust. Once trust is lost it can take years if not decades to earn it back.
Customer trust is the most vital component of a company. There are too many options for consumers nowadays; there’s no reason for a customer to choose a company they don’t trust when it’s so easy to find a company they do.
The 2016 Harris Reputation Quotient asked 23 thousand customers which factors have the largest effect on reputation. ‘Security or data breaches’ was among four scenarios ranked most damaging to corporate reputation, earning 74 percent of respondents’ votes.
In fact, data breaches rank above contamination, employee strikes, product recalls, and unfair workplace conditions in terms of the damage they are likely to cause a company’s reputation.
Cons of GDPR Non-Compliance
Fines
Fines are the part of the GDPR that people are most fixated upon. It’s no wonder. Fines are set at 4% of a company’s annual worldwide turnover or 20 million euros, whichever is greater.
Companies can prevent paying such hefty fines by investing efforts towards GDPR compliance. Some extra time and effort now will save a lot of trouble down the road.
Learn how to start your own GDPR compliance project in this step-by-step guide > >
Loss of Customers and Revenue
After Yahoo announced that billions of accounts were hacked, angry customers expressed extreme displeasure and even went so far as to close their Yahoo accounts.
Rick Hollister, owner of a private investigation firm in Florida, told Fortune in an interview that “We’re probably just going to dump Yahoo altogether.” This did not appear to be an uncommon sentiment.
On top of a loss of customers, Verizon lowered the price they were willing to pay to acquire Yahoo by $350 million.
When a company decides against complying with the GDPR, they’re positioning themselves over a double-edged sword. Without GDPR compliance, companies are both missing out on the trust they could build between themselves and their customers and are exposing themselves to hackers.
The GDPR is one of those for-your-own-good rules. It is like getting home insurance. Setting up your policy is a hassle, the monthly bills are annoying, and you might be okay if you skipped it…but the consequences of not having insurance can be devastating.
You can grimace, sigh, and complain, but at the end of the day the health of your customer relationships should outweigh the cost and inconvenience of boosting security measures and complying with the GDPR.
Loss of Reputation
Let’s say you’re a small company that is growing slowly, is not well-known, and doesn’t make a lot of noise. You know your data security is not up to par, but you don’t want to spend the time, money, or effort becoming GDPR compliant.
It is possible you could fly under the radar, avoid the notice of hackers, and never have a security issue. But who wants to be that company?
Business is meant to grow, spread, attract notice, and convert new customers. Unless you’re a tiny, unknown business tucked into the corner of nowhere (and perhaps even then), at some point in time your security measures will be tested.
The test could be a targeted attack, a disgruntled employee looking for leverage, or a piece of malicious code drifting along the internet. Whatever it is, it will cut through your sub-par security measures, scoop up your business’s data, and run off with both your information and your reputation.
Fines can be paid, security breaches patched, and a loss of customers will cause a temporary dip in revenue that can be reversed.
Reputation, on the other hand, can take decades to rebuild. What people say and believe about your company sticks. A policy won’t change how people think. A check written after a fine won’t alter your public image. In the end, reputation is more delicate than profits and much more valuable.
Leslie Gaines-Ross, author of A Guide to Building CEO Reputation and Company Success, says a blow to the wallet does less harm than a blow to a company’s credibility, no matter the size of the business.
In an interview with Forbes she said, “I don’t think anyone is safe from losing their reputation. In certain industries, it’s 90% trust and reputation…It’s like health care companies, or pharmaceutical companies, airlines. If you don’t trust an airline, you’re not going to fly it.”
The Future of Data Security
The GDPR affects companies that deal with citizens from the European Union and United Kingdom, giving those individuals new levels of data protection as well as more rights regarding their personal information.
What about other customers? Will people in the United States and Canada see any benefits from the GDPR? Will companies who market to the rest of the world see any reason to apply the GDPR’s higher security standards to their own customer data?
The answer, surprisingly, is often yes.
Many companies have both EU citizens and non-EU citizens as customers. When EU citizens make up a portion of a customer base, it is easier for the entire company to become GDPR compliant than to apply those higher standards only to the data of EU citizens. This means non-EU citizens may see their personal information protected by higher security standards thanks to the GDPR.
But there are also businesses who choose to comply with the GDPR despite not being legally compelled to do so. They do not have EU customers, yet they are launching their own GDPR compliance projects because the GDPR is good for business.
Look at the risks and benefits we’ve outlined. These don’t only apply to companies in the European Union. Data breaches at Yahoo and Equifax have shaken customers. Privacy and personal data are on the radar of individual consumers more than ever before.
Tom Pendergast attended the TrustArc Privacy Risk Conference in San Francisco, and what he saw there surprised him.
“Most of the privacy professionals I know welcome the GDPR. They see its coming as a great opportunity for companies to regularize around a common set of standards and requirements…[These companies] will in turn pass along their alignment with the GDPR to all their suppliers.”
Some people are even starting to discuss whether the United States should adopt the European Union’s GDPR rules. While these discussions have yet to secure popular support, the idea may gain momentum after the world sees the GDPR in action. How the General Data Protection Regulation is enforced will be a major deciding factor in whether it spreads from Europe to the rest of the globe. Much could be gained if the GDPR spread to the U.S. or Canada.
For instance, the GDPR contains a requirement that organizations inform supervisory authorities of a data breach within 72 hours. This prevents a company from dragging their feet or attempting to sweep a data breach under the rug. Equifax waited six weeks before announcing their data breach, during which consumers were vulnerable and unaware that their personal information had been stolen. Under the GDPR rules such actions would be illegal.
Americans in particular tend to be wary of government oversight, but remember that the GDPR regulations could have prevented incidents such as the recent Wells Fargo scandal. User agreements would have to be written in terms that are clear and able to be understood by someone other than a lawyer, making it more difficult for companies to abuse customers.
