GDPR compliance benefits emerge a year and a half later

Correlation between compliance and improved security

Results from a Cisco survey indicated GDPR-compliant organizations are safer from breaches than noncompliant organizations: The percentage of GDPR-ready organizations affected by data breaches was 74% in 2018, compared to 89% of non-GDPR-ready companies. In addition, fewer records were affected, system downtime was shorter and monetary costs were lower in GDPR-ready organizations.

With data breach consequences ranging from fines to lost clients to public relations disasters, there are many reasons for businesses to focus on and prioritize GDPR compliance.

Many GDPR components can only help an organization's security posture. For example, mandates surrounding privileged access management, which audits user access to critical data, reduce the chances that high-risk privileged accounts become compromised. GDPR's 72-hour breach notification is also a considerable deterrent because it criminalizes cover-ups to force accountability. Additionally, GDPR mandates institutions that handle large amounts of sensitive data employ a data protection officer who is responsible for enforcing GDPR compliance along with the general data protection strategy of the organization.

Using GDPR to organize and simplify operations

GDPR requires organizations to self-assess and organize to get data in order. To be compliant, businesses must review what data they have, where it is stored and under what security conditions it can be accessed. Note that it is not enough to map out how one's own organization handles personal data; business leaders must also investigate how third-party suppliers handle and use data.

While companies may be overwhelmed by the process of auditing their data retention policies and those of their third-party supply chain, conducting data inventory assessments puts them in a better position to identify details about what data is where in the event of a security incident. In addition, an organization may come across issues, such as privileged access, that require auditing in order to improve security that may not have been considered outside of the efforts to organize and comply with GDPR.

Another GDPR compliance benefit is the way it legislates simplification. A GDPR-compliant organization must be familiar with the ins and outs of its data retention and whereabouts -- this can simplify threat detection and response. It also makes it possible to respond to data subject requests -- a GDPR mandate stating a data subject has the right to at any time obtain information from the data controller as to whether it has information on the subject, what information that is and where it is stored. In a report from the International Association of Privacy Professionals in 2019, 73% of organizations have undertaken data deletion efforts due to GDPR.

The core principle of GDPR is that personal data cannot be held longer than needed for the purpose it was collected. Consider how, prior to the GDPR start date, businesses began to improve their data governance policies in anticipation of its implementation in 2018. This commonsense principle of limiting personal data collection helps companies simplify operations by reducing the amount of data storage required. Purging data can also be a cost-cutting practice for organizations, as secure data storage is often a large expense.

Marketing trust to a privacy-literate public

GDPR has brought customer privacy and trust into mainstream conversation. This gives GDPR-compliant businesses the opportunity to message their brand to customers, employees and the general public as trustworthy and transparent. For example, EasyJet produced a video to creatively inform its audience about its privacy policy in an accessible way -- one which yielded some positive response online.

GDPR compliance benefits businesses by requiring them to perform data protection impact assessments (DPIAs), which many legal experts consider the most important component of the regulation. These self-assessments were designed to help organizations understand how their data processing and procedures impact customer privacy. By completing DPIAs, businesses can identify and mitigate aspects of their data collection and handling processes that could potentially violate GDPR policies.

DPIAs and self-evaluation of risk readiness can be communicated to the public as a proactive measure to protecting personal data. Businesses that have suffered a data breach understand they are not always treated as victims in the news -- the media and public criticism take a huge toll on their reputations. Organizations that market themselves as proactive and prove they've done their due diligence can go a long way in the eyes of a public hungry for an institution that promises to take their data privacy seriously.

Business leaders would be smart to advertise their GDPR compliance -- even if they are not subject to the regulation -- to target European clients and prove they take privacy seriously.

In addition, American-based companies that employ this strategy only serve to benefit as privacy regulation efforts in the U.S., such as the California Consumer Privacy Act, ramp up.