Some Businesses Face Costs of Over $1 Million Due to GDPR

One of the hottest topics in the business world these days is the General Data Protection Regulation (GDPR), the European Union’s endeavor to create a unified framework that governs how data collectors and processors safeguard the privacy of their users and build walls that cybercriminals can’t penetrate.

Knowing the penalties they face if caught off guard, organizations in almost every vertical are rushing to achieve compliance. While earlier studies showed that high-ranking execs were slow to react to the impending change, new research shows things are suddenly beginning to look a lot better.

More than 300 C-level security executives participated in a survey to help pantesting company Netsparker assess the progress of different companies in various industries, and learn how and what each industry is doing to achieve compliance. The results are promising.

Serious business

Right off the bat, contracted surveyor Propeller Insights found companies everywhere are taking GDPR very seriously. Despite lagging in PCI and HIPPA compliance, 99% of the security executives surveyed said their company was very involved in the process of becoming GDPR amenable.

About half (49%) are three quarters of the way through the process, 37% are halfway there, and 71% are confident they’ll be fully compliant before GDPR takes effect on May 25. Only 2% believe it’s unlikely they’ll be ready by the deadline.

What are companies doing to achieve compliance?

We recently showed how equipping your incident response team with a sound Endpoint Detection & Response (EDR) solution counts as just one of many steps towards cyber resilience.

Security executives are increasingly aware of this as May 25 approaches, with 57% of companies re-engineering internal systems and procedures in preparation for GDPR. 55% are recruiting people specifically to tackle compliance, and 48% are re-engineering internal security teams.

“People are taking GDPR seriously because of how many high-profile data breaches we have all witnessed in the last few years,” said Ferruh Mavituna, CEO of Netsparker. “In the past, blame for data breaches was shifted around from party to party. Was it the business? The individual? The government? GDPR removes the ambiguity. As of May 25, businesses are responsible for data breaches. As a result, companies will have to restructure how they handle data, and, if they don’t have a sound IT infrastructure, they will have to rebuild from the ground up. It’s heartening to see that so many companies are taking themselves to task.”

How much does GDPR compliance really cost?

When the GDPR entered the spotlight last year, everyone affected immediately knew they would have to dig deep into their pockets for costly investments in the security department. Those fears were well warranted, as one in 10 C-level security execs say GDPR compliance will cost their business more than $1 million. About two-thirds (36%) expect to end up spending between $50,000 and $100,000, and 24% anticipate disbursing between $100,000 and $1 million.

A good proportion of these investments will translate into paychecks for new hires responsible for GDPR matters.

82% of companies already have a Data Protection Officer (DPO) on staff, but 77% plan to hire a new, replacement DPO before GDPR takes effect. More than two-thirds of businesses have had to hire at least six new employees in accordance with some GDPR requirements, and 19% have had to hire at least 10 new staffers.

Industries resisting change

Unfortunately, the news is not all good. While most organizations make inroads into GDPR compliance, some industries are not showing the same levels of promptness. For instance, the healthcare and finance industries are the slowest to prepare for GDPR:

14 percent of healthcare companies have completed only 25 percent of the GDPR compliance process, and 7 percent are unlikely to be compliant by May 25
21 percent of finance companies have only completed 25 percent of the GDPR compliance process, and 3 percent haven’t even begun
Security executives expect the technology industry will be most affected by GDPR (53%), followed by online retailers (45%), software companies (44%), financial services (37%), online services/SaaS (34%), and retail/CPG (33%).

Security execs agree GDPR is a good thing

Despite making every aspect of their job more difficult, 82% of security executives say GDPR will bring a lot of positive change, especially in e-commerce where it’s important to evaluate third-party contractors properly and make sure partners themselves are GDPR compliant. The regulation will also help check the location of all business partners with whom data is shared, 22% of respondents believe.

Experts recommend that everyone affected by the GDPR take the regulation extremely seriously, and for good reason. The EU will fine any entity found non-compliant up to 4% of their annual revenue, or up to €20 million (whichever highest).