Cisco said its 2020 Data Privacy Benchmark Study shows growing benefits for businesses that adopt strong privacy practices.
The study is based on results from a survey of 2,800 security professionals in organizations of various sizes across 13 countries. It provides insight into the state of privacy a year and a half after the effective date of the European Union’s General Data Protection Regulation (GDPR).
Customer demands for increased data protection and privacy, the threat of data breaches and misuse by both unauthorized and authorized users, and preparation for the GDPR and similar laws around the globe spurred many organizations to make considerable privacy investments – which are now delivering strong returns.
Organizations, on average, receive benefits 2.7 times their investment, and more than 40 percent are seeing benefits that are at least twice that of their privacy spend.
Over 70 percent of (up from 40 percent last year) organizations say they receive significant business benefits from privacy efforts beyond compliance, including better agility, increased competitive advantage and improved attractiveness to investors, and greater customer trust.
Companies with higher accountability scores experience lower breach costs, shorter sales delays, and higher financial returns.
Privacy certifications such as the ISO 27701, EU/Swiss-US Privacy Shield, and APEC Cross Border Privacy Rules system are becoming an important buying factor when selecting a third-party vendor. India and Brazil topped the list with 95 percent of respondents agreeing external certifications are now an important factor.
Cisco Vice President & Chief Privacy Officer Harvey Jang said: “With this Study, we now have empirical evidence of privacy investments paying off for companies — particularly with improved customer relationships, revenue impact, and real bottom-line results.”
The average return on privacy investment varies significantly by country, with the highest average returns located in the UK (3.5x), Brazil (3.3x), and Mexico (3.3x).
Larger companies are spending more and receiving more benefits, but the ratio of benefits to spending is similar for large, midsize, and small companies.
High accountability organizations spend somewhat more annually on their privacy programs ($1.5 million) compared to the low accountability group ($1.1 million). But these organizations also saw much greater average benefits ($3.4 million vs. $2.0 million). This translates to an overall privacy return of 3.1x for high accountability organizations, 2.7x for the middle group, and 2.3x for the low accountability organizations. The implication is that achieving higher levels of privacy accountability requires additional investment, but this investment provides very large returns.
Among organizations with accountability scores of 4.0 or less, 13 percent experienced no data breaches last year. Organizations with scores above 4.0, however, were over twice as likely to be breach-free (28 percent). In addition, the impact and costs of a breach were significantly lower for these high accountability organizations. They had 19 percent less downtime from breaches, 28 percent fewer records impacted by a breach, and 10 percent lower breach costs.
Organizations scoring high (above 4.0) in accountability averaged 3.6 weeks of delay, compared with 3.9 weeks for the middle accountability group and 5.5 weeks for the low accountability group. This translates to a 35 percent reduction in average sales delays, enabling organizations to better protect themselves and ensure a more reliable revenue stream.
Since GDPR became enforceable in May 2018, we have monitored organizations’ progress with GDPR readiness.
Among respondents in this year’s survey, 55 percent said they are now ready for GDPR, 29 percent said they will be ready within a year, 12 percent expect to be ready in more than a year, and 3 percent said GDPR does not apply to them. These results are nearly identical to the results in last year’s study, perhaps implying that organizations have not made significant progress with GDPR readiness since last year.