Professional Documents
Culture Documents
JANUARY 2019
Executive Summary
The EU’s General Data Protection Regulation (GDPR) became enforceable on
May 25, 2018, and privacy laws and regulations around the globe continue to
evolve and expand.
Most organizations have invested, and The findings from this study provide strong
continue to invest, in people, processes, evidence that organizations are benefitting
technology, and policies to meet customer from their privacy investments beyond
privacy requirements and avoid significant compliance. Organizations that are ready for
fines and other penalties. In addition, data GDPR are experiencing shorter delays in their
breaches continue to expose the personal sales cycle related to customers’ data privacy
information of millions of people, and concerns than those that are not ready for
organizations are concerned about the GDPR. GDPR-ready organizations have also
products they buy, services they use, people experienced fewer data breaches, and when
they employ, and with whom they partner breaches have occurred, fewer records
and do business with generally. As a result, were impacted, and system downtime was
customers are asking more questions during shorter. As a result, the total cost of data
Customers are asking the buying cycle about how their data is breaches was less than what organizations
more questions during the
captured, used, transferred, shared, stored, not ready for GDPR experienced. Even
buying cycle about how
their data is captured, and destroyed. In last year’s study (Cisco though companies have focused their
used, transferred, shared, 2018 Privacy Maturity Benchmark Study), efforts on meeting privacy regulations and
stored, and destroyed. Cisco introduced data and insights regarding
how these privacy concerns were negatively
impacting the buying cycle and timelines. This
year’s research updates those findings and “ Privacy is such a vital
ingredient to organizational
explores the benefits associated with success, both to protect data
”
privacy investment.
and foster innovation.
Cisco’s Data Privacy Benchmark Study utilizes John N. Stewart, Senior Vice-President
data from Cisco’s Annual Cybersecurity and Chief Security and Trust Officer, Cisco
Benchmark Study, a double-blind survey
completed by more than 3200 security
professionals in 18 countries and across all requirements, nearly all companies say they
major industries and geographic regions. are receiving other business benefits from
Many of the privacy specific questions were these investments beyond compliance.
addressed to more than 2900 respondents These privacy-related benefits are providing
who were familiar with the privacy processes competitive advantages to organizations,
at their organizations. Participants were asked and this study can help guide investment
about their readiness for GDPR, any delays in decisions as organizations work to mature
the sales cycle due to customer data privacy their privacy processes.
concerns, losses from data breaches, and
their current practices related to maximizing
the value of their data.
2
CISCO CYBERSECURITY SERIES 2019 Data Privacy Benchmark Study
3
CISCO CYBERSECURITY SERIES 2019 Data Privacy Benchmark Study
generally on the higher end of the range. 59% Not yet meeting most/ all
GDPR requirements, and it
will take more than a year
Not applicable—GDPR
doesn’t really apply to us
Figure 2 GDPR readiness by country Source: Cisco 2019 Data Privacy Benchmark Study, n=3206
Percent of respondents, N=3206
United
Kingdom 69% 46% Russia
60% Canada
58
% Germany
France 62%
57% USA 47% Turkey
42% China 45% Japan
Spain 76 % 72
% Italy
Saudi
Mexico 73% 55% Arabia
65% India
53% Brazil
50% Australia
69% Argentina
4
CISCO CYBERSECURITY SERIES 2019 Data Privacy Benchmark Study
Respondents were asked to identify the most Figure 4 Respondents experiencing delays in their
sales cycles due to customers’ data
significant challenges their organizations privacy concerns
faced in getting ready for GDPR. The top Percent of respondents, N=2064
responses were data security, internal
training, evolving regulations, and Privacy by 13%
87%
42% Meeting data security requirements
39% Internal training
Source: Cisco 2019 Data Privacy Benchmark Study
35% Staying on top of the ever-evolving developments
as the regulation matures
When asked about the length of the delay, the
34% Complying with Privacy By Design Requirements
estimates varied widely. The average delay for
34% Meeting data subject access requests
sales to existing customers was 3.9 weeks,
31% Cataloging and inventorying our data
and over 94% of organizations reported delays
30% Enabling data deletion requests
29% Hiring/identifying Data Protection Officers for each
between 0 and 10 weeks. Nonetheless, there
relevant geography were some organizations reporting delays
28% Vendor management up to 25 to 50 weeks or more. (See Figure
Source: Cisco 2019 Data Privacy Benchmark Study 5) Note that the average delay for sales to
prospects was 4.7 weeks, perhaps reflecting
the longer timeframes needed to adequately
Sales delays due to privacy
address privacy concerns in a new potential
Respondents were asked whether they are customer relationship. These average delays
experiencing delays in their sales cycles due
to customers’ data privacy concerns. 87% of
respondents said they do have sales delays,
Sales delays due to
whether from existing customers or
prospects. (See Figure 4) This is significantly customer data privacy
higher than the 66% of respondents who concerns continue to
reported sales delays in last year’s survey and be an issue for most
is likely due to the increased awareness of the
importance of data privacy, GDPR becoming
organizations.
87 % reported
enforceable, and the emergence of other they
privacy laws and requirements. Data privacy have delays
has become a board-level issue for many
in selling to existing
organizations, and customers are making sure
their vendors and business partners have customers or prospects,
adequate answers to their privacy concerns which is up significantly
before doing business together. from last year.
5
CISCO CYBERSECURITY SERIES 2019 Data Privacy Benchmark Study
for both existing customers and prospects Figure 6 Country break-down of distribution
of sales delays
are significantly shorter than the average Percent of respondents, N=2081
of 7.8 weeks reported in last year’s survey,
Country Avg delay
perhaps reflecting the fact that firms have (weeks)
become better equipped over the last year to Argentina 3.9
answer customer’s privacy concerns. Australia 3.9
Brazil 5.2
Figure 5 Delays in answering customers’
data privacy concerns Canada 5.1
Percent of respondents, N=2081 China 3.5
France 4.2
None
Germany 3.1
0-1
India 4.9
1-5 Average 3.9 weeks Italy 2.6
Russia 2.5
16-20
Saudi Arabia 4.8
21-25 Spain 5.5
Number of responses
to be deferred for some period of time.
●● educating the customer
about the company’s Source: Cisco 2019 Data Privacy Benchmark Study
This can lead to missed revenue targets,
privacy practices or
processes
impacting compensation, funding decisions,
and investor relations. In addition, delayed
●● having to redesign the By country, the distribution of sales delays for sales can often turn into lost sales, for
product to meet the
customer’s privacy existing customers ranged from 2.2 weeks instance when delays cause a potential
requirements
to 5.5 weeks. Longer delays can usually be customer to buy a competitor’s product or
found where privacy requirements are high not buy the product or service at all.
or in a state of transition, as organizations
work to adapt to the concerns raised by their
customers. (See Figure 6)
6
CISCO CYBERSECURITY SERIES 2019 Data Privacy Benchmark Study
7
CISCO CYBERSECURITY SERIES 2019 Data Privacy Benchmark Study
8
CISCO CYBERSECURITY SERIES 2019 Data Privacy Benchmark Study
Another tangible benefit from GDPR- While most companies reported having a data
readiness is that it appears to lower the breach in the last year, a lower percentage (74%)
frequency and impact of data breaches. of the GDPR-ready companies were impacted,
GDPR requires organizations to know where there compared to 80% of the organizations less than
personally identifiable information (PII) is located a year from GDPR readiness and 89% of those
and provide appropriate protections for this data. that are farthest from being GDPR ready. (See
These efforts may have helped organizations Figure 9)
better understand their data, the risks associated
with their data, and to establish or strengthen
protections for that data.
GDPR
ready
74% 79,000 6.4
GDPR ready
80% 100,000 8.1
<1 Year
GDPR ready
89% 212,000 9.4
>1 Year
9
CISCO CYBERSECURITY SERIES 2019 Data Privacy Benchmark Study
10
CISCO CYBERSECURITY SERIES 2019 Data Privacy Benchmark Study
Maximizing the value of data and insights from this survey can serve as
a framework and starting point for each
Data privacy is one critical aspect of an
organization to maximize the value from its
organization’s overall effort to maximize
privacy investments.
the value of its data assets over the data’s
lifecycle. Like any other asset, data should Figure 12 Behaviors typically found in
be efficiently acquired, stored, protected, mature data environments.
Percent of respondents, N=3259
utilized, and archived/deleted. Organizations
Organizations reporting they that maximize the value of their data in 42% We understand the value of most/all of our
data assets.
are meeting all or most of appropriate ways can benefit greatly by
42% We know where most/all of the Personally
GDPR’s requirements had building trust with customers and using well- Identifiable Information (PII) is located and
an average sales delay of
protected and curated data to enhance the how it is used.
3.4 weeks.
customer experience and drive greater value 40% We are effective in connecting different data
assets together to create more value for our
for all stakeholders. customers and ourselves.
37% We have a relatively complete catalog of our
Respondents in this survey were asked data assets.
about a range of behaviors typically found in 32% We have a chief data officer.
mature data environments, such as having 32% We consider ourselves an information-centric
company.
a complete data catalog, connecting data
30% We are able to monetize selected data assets
to other assets, hiring a chief data officer, by selling (or bartering) them externally.
and monetizing the data externally. (See 2% None of the above.
Figure 12) Fewer than one-half of the Source: Cisco 2019 Data Privacy Benchmark Study
11
CISCO CYBERSECURITY SERIES 2019 Data Privacy Benchmark Study
12
CISCO CYBERSECURITY SERIES 2019 Data Privacy Benchmark Study
Conclusion
This research has quantified a number of
business benefits connected to privacy
maturity. Many of the benefits initially
identified in last year’s report have been
confirmed and explored more fully, including
reducing privacy-related sales delays and
reducing the frequency and impact of
data breaches. In future research, we’ll
Privacy investment has explore how these benefits are changing
created business value far over time, especially as privacy regulations
beyond compliance and
and customer expectations continue to
has become an important
competitive advantage for evolve in different industries and different
many companies. geographies. Cisco will continue to work
with our customers and other leaders in the
privacy field to provide informbation for better
investment decision-making and improved
trust with our customers.
13
CISCO CYBERSECURITY SERIES 2019 Data Privacy Benchmark Study
In our new approach to our thought leadership, Cisco Security is publishing a series of
research-based, data-driven publications under the banner Cisco Cybersecurity Series.
We’ve expanded the number of titles to include different reports for security professionals
with different interests. Calling on the depth and breadth of expertise in threat researchers
and innovators in the security industry, the collection of reports in the 2019 series include
the Data Privacy Benchmark Study, the Threat Report and the CISO Benchmark Study, with
others to come throughout the year.
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to
this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1110R)
Adobe, Acrobat, and Flash are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. 14