The EU’s General Data Protection Regulation (GDPR) became enforceable on May 25, 2018, and privacy laws and regulations around the globe continue to evolve and expand
Most organizations have invested, and continue to invest in people, processes, technology and policies to meet customer privacy requirements and avoid significant fines and other penalties. In addition, data breaches continue to expose the personal information of millions of people, and therefore organizations are concerned about the products they buy, services they use, people they employ, and with whom they partner and generally do business with. As a result, customers are asking more questions during the buying cycle about how their data is captured, used, transferred, shared, stored, and destroyed. In last year’s study (Cisco 2018 Privacy Maturity Benchmark Study), Cisco introduced data and insights regarding how these privacy concerns were negatively impacting the buying cycle and timelines. This year’s research updates those findings and explores the benefits associated with privacy investment.
Cisco’s Data Privacy Benchmark Study utilizes data from Cisco’s Annual Cybersecurity Benchmark Study, a double blind survey completed by more than 3200 security professionals in 18 countries and across all major industries and geographic regions. Many of the privacy specific questions were addressed to more than 2900 respondents who were familiar with the privacy processes at their organizations. Participants were asked about their readiness for GDPR, any delays in the sales cycle due to customer data privacy concerns, losses from data breaches, and their current practices related to maximizing the value of their data.
The findings from this study provide strong evidence that organizations are benefitting from their privacy investments beyond compliance. Organizations that are ready for GDPR are experiencing shorter delays in their sales cycle related to customers’ data privacy concerns than those that are not ready for GDPR. GDPR ready organizations have also experienced fewer data breaches, and when breaches have occurred, fewer records were impacted and system downtime was shorter. As a result, the total cost of data breaches was less than what organizations not ready for GDPR experienced. Even though companies have focused their efforts on meeting privacy regulations and requirements, nearly all companies say they are receiving other business benefits from these investments beyond compliance. These privacy-related benefits are providing competitive advantages to organizations, and this study can help guide investment decisions as organizations work to mature their privacy processes.
Among all respondents in the Data Privacy Benchmark Study, 59% indicated that they are meeting all or most of GDPR’s requirements today. Another 29% said they expect to be GDPR ready within a year, leaving 9% who said it would take more than a year to get ready. While GDPR applies to businesses located in the EU or to the processing of personal data collected about individuals located in the EU, it is interesting that only 3% of the respondents in our global survey indicated that they did not believe GDPR applied to their organization.
By country, the level of GDPR readiness ranged from 42% to 76%. Not surprisingly, the European countries in the survey (Spain, Italy, UK, France, Germany) were generally on the higher end of the range.
Respondents were asked to identify the most significant challenges their organizations faced in getting ready for GDPR. The top responses were data security, internal training, evolving regulations, and privacy by design requirements.
Sales delays due to privacy
Respondents were asked whether they are experiencing delays in their sales cycles due to customers’ data privacy concerns. 87% of respondents said they do have sales delays, whether from existing customers or prospects. This is significantly higher than the 66% of respondents who reported sales delays in last year’s survey and is likely due to the increased awareness of the importance of data privacy, GDPR becoming enforceable, and the emergence of other privacy laws and requirements. Data privacy has become a board-level issue for many organizations, and customers are making sure their vendors and business partners have adequate answers to their privacy concerns before doing business together. When asked about the length of the delay, the estimates varied widely.
The average delay for sales to existing customers was 3.9 weeks, and over 94% of organizations reported delays between 0 and 10 weeks. Nonetheless, there were some organizations reporting delays up to 25 to 50 weeks or more. Note that the average delay for sales to prospects was 4.7 weeks, perhaps reflecting the longer timeframes needed to adequately address privacy concerns in a new potential customer relationship. These average delays for both existing customers and prospects are significantly shorter than the average of 7.8 weeks reported in last year’s survey, perhaps reflecting the fact that firms have become better equipped over the last year to answer customer’s privacy concerns.
By country, the distribution of sales delays for existing customers ranged from 2.2 weeks to 5.5 weeks. Longer delays can usually be found where privacy requirements are high or in a state of transition, as organizations work to adapt to the concerns raised by their customers.
Sales delays, at a minimum, cause revenue to be deferred for some period of time. This can lead to missed revenue targets, impacting compensation, funding decisions, and investor relations. In addition, delayed sales can often turn into lost sales, for instance, when delays cause a potential customer to buy a competitor’s product or not buy the product or service at all.
Respondents were also asked to identify the reasons for any privacy-related sales delays at their organizations.
The top responses included the need to investigate specific customer requests, translating privacy information into the customer’s language, educating the customer about the company’s privacy practices or processes, or having to redesign the product to meet the customer’s privacy requirements.
Business benefits of privacy investments
Organizations that have invested in getting ready for GDPR have done so primarily to avoid the significant fines and other penalties associated with not meeting the regulation. However, as the research indicates, there are other significant business benefits associated with these privacy investments.
In looking at the sales delays due to privacy issues, the average delay for selling to existing customers was 3.9 weeks. However, those organizations which reported they are meeting all or most of GDPR’s requirements had an average sales delay of 3.4 weeks, compared to 4.5 weeks for organizations which aren’t yet ready but expect to be within a year, and 5.4 weeks for those organizations that are over a year away from being GDPR ready. Thus, the least prepared organizations have average delays that are nearly 60% longer than those who are most prepared.
Another tangible benefit from GDPR readiness is that it appears to lower the frequency and impact of data breaches. GDPR requires organizations to know where there personally identifiable information (PII) is located and provide appropriate protections for this data. These efforts may have helped organizations better understand their data, the risks associated with their data, and to establish or strengthen protections for that data.
While most companies reported having a data breach in the last year, a lower percentage (74%) of the GDPR ready companies were impacted, compared to 80% of the organizations less than a year from GDPR readiness and 89% of those that are farthest from being GDPR ready.
Furthermore, once a breach occurred, the GDPR ready companies experienced a smaller impact. The average number of records impacted was 79,000 for these companies versus 212,000 for those that are least ready for GDPR .
GDPR ready companies also experienced shorter system downtimes associated with the breach, perhaps connected again to better management of their data assets. GDPR ready companies had an average system downtime of 6.4 hours versus 9.4 hours for organizations least ready for GDPR.
With fewer records impacted and shorter downtimes, it is not surprising that the GDPR-ready companies experienced lower overall costs associated with data breaches. Only 37% of these companies had losses from data breaches totaling at least $500,000, compared to 64% of those companies least prepared for GDPR.
Organizations recognizing the benefits of privacy investment
The previous two sections of this study highlighted the correlations between privacy investments and business benefits such as shorter sales delays and fewer and less costly data breaches. It is interesting to note that most respondents are now recognizing many of these benefits. When asked whether privacy investment was yielding benefits (such as greater agility and innovation, gaining a competitive advantage, achieving operational efficiency, etc.), 75% of all respondents identified two or more of these benefits and nearly all companies (97%) identified at least one benefit.
Maximizing the value of data
Data privacy is one critical aspect of an organization’s overall effort to maximize the value of its data assets over the data’s lifecycle. Like any other asset, data should be efficiently acquired, stored, protected, utilized, and archived/ deleted. Organizations that maximize the value of their data in appropriate ways can benefit greatly by building trust with customers and using well-protected and curated data to enhance the customer experience and drive greater value for all stakeholders.
Respondents in this survey were asked about a range of behaviors typically found in mature data environments such as having a complete data catalog, connecting data to other assets, hiring a chief data officer, and monetizing the data externally. Fewer than one-half of the survey respondents exhibited each of these characteristics, and this will be an area for further research to better understand how organizations are maximizing the value of their data assets.
These results highlight that privacy investment has created business value far beyond compliance and has become an important competitive advantage for many companies. Organizations should therefore work to understand the implications of their privacy investments including reducing delays in their sales cycle and lowering the risk and costs associated with data breaches as well as other potential benefits like agility/ innovation, competitive advantage and operational efficiency. The analysis and insights from this survey can serve as a framework and starting point for each organization to maximize the value from its privacy investments.
This research has quantified a number of business benefits connected to privacy maturity. Many of the benefits initially identified in last year’s report have been confirmed and explored more fully, including reducing privacy-related sales delays and reducing the frequency and impact of data breaches. In future research, we’ll explore how these benefits are changing over time, especially as privacy regulations and customer expectations continue to evolve in different industries and different geographies. Cisco will continue to work with our customers and other leaders in the privacy field to provide informbation for better investment decision-making and improved trust with our customers.