So it finally happened. After all the hype, the endless emails from organizations requesting consent, and the appointment of data controllers and data processors, the EU’s General Data Protection Regulation (GDPR) came into force last week.
This has been no small undertaking for any organization holding or processing data and information about EU citizens. Some organizations came to the party early, ready for compliance well in advance of the May 25 deadline. Others that perhaps had more pressing day-to-day matters to deal with only increased their efforts when it became clear that not to do so could result in a serious fine.
Irrespective of an organization's size, GDPR compliance has come at an expense. It is a cost of doing business, but nevertheless the funding had to be found. According to the International Association of Privacy Professionals (IAPP) and Ernst & Young (EY), US Fortune 500 companies have spent approximately $7.8bn on GDPR compliance, with UK FTSE 350 companies paying out around $1.1bn. That’s nearly $9bn, and includes nowhere near every organization that must comply.
Pressures surrounding regulatory issues such as GDPR have been a priority and as such have diverted spend in many organizations. IT projects and business improvement projects have been put on hold, and from an information security perspective, spend has been diverted from addressing all but the immediate threat landscape. During the past year or so, it has become apparent that some of the budget has come from security-related projects, not least because compliance involves an element of security resources (technology and people).
Senior IT professionals and security leaders receive regular and detailed views of the cybersecurity threat landscape and from that gain valuable insight into what they might expect to see over the coming year. The expectation (and realization) of increased threat activity would usually have influenced cybersecurity development strategies, but diverted spend means that for many organizations, only the most urgent requirements have been actioned.
Now that the regulation has launched, CISOs and security managers responsible for an organization’s security posture are asking for their diverted budgets to be made available again. No doubt this will be the same across the business. Compliance isn’t a one-off undertaking and must be sustained, but the significant investments associated with the preparation for GDPR should now be over, allowing funding of security to return to its "rightful" place.
Straight Talk is a weekly briefing from the desk of the Chief Research Officer. To receive this newsletter by email, please contact us.